Secure Assets about asset-pipeline HOT 8 CLOSED

Not tried secure urls yet, but what seems to be failing? Do you have an example I can see?

from asset-pipeline.

Same issue here. When you make a secure https request and the content is insecurely linked (a la http://localhost/assets/js/application.js). The content is simply blocked from loading.

I think the logic in question is located here:
https://github.com/CodeSleeve/asset-pipeline/blob/master/src/Codesleeve/AssetPipeline/SprocketsBase.php#L273

The general solution (as far as I am concerned) is to omit the the "http" or "https" from the path. So the path would look like "//localhost/assets/js/application.js"

Because I don't fully understand what's being leveraged/extended with the code in question, my 30-second monkey patch looks like:

$remove = array('http:', 'https:');
$path   = app('url')->asset($path, $this->config->get('secure'));
return str_replace($remove, '', $path);

It works, but it feels dirty.

from asset-pipeline.

Well, it looks like the approach I use above is as good as it gets:

https://github.com/laravel/laravel/issues/1661#issuecomment-12959572

Surely, there must be a better way? If not, let me know, I'll fork and issue a pull request.

from asset-pipeline.

@weblee In your config file for asset-pipeline (do config publish if you haven't already) can you put a 'secure' => true

from asset-pipeline.

@evantishuk put the change you suggested into dev-testing will merge on next tagged version

from asset-pipeline.

I'm traveling atm... might be a couple days before I get back into work-mode. Will post then.

from asset-pipeline.

So, I checked out the testing branch and it looked like the code I suggested was already integrated. So, I figured I'd dig a little deeper on the original issue and I found a couple things that probably need to be considered.

First, I wanted to see what was going on with $this->config->get('secure') because I couldn't find it being set anywhere in any config file (at least not for me). So, I went into the package's config and added secure = true and checked what the function was seeing. As it turned out, it was not correctly getting picked up. It was returning array() instead of true. This is because the syntax is incorrect. It should be: $this->config->get('asset-pipeline::secure');. So do we want to even keep the secure config flag as a concept (unsupported as it was)? Obviously it seemed like a good idea at one point, but it doesn't seem relevant or documented if we decide to strip out the protocol and reverse what the getScheme function is doing. At the same time, it does seem reasonable to allow for explicitly saying "I want my assets to be secure, damnit" -- though, I'm having a tough time thinking of a case where I'd ever do that.

Second, remember I mentioned that the faulty $this->config->get('secure') was returning an empty array? Well, I wanted to see if that might have been why the original code was borking with secured assets. And, that seems to have been the case. Check out this Laravel issue: laravel/framework#2171 and, more specifically, the getScheme function here: http://laravel.com/api/source-class-Illuminate.Routing.UrlGenerator.html#161. As you can see, if you pass that function an array, you're going to have a bad time. This was the root of the the original issue.

Ok, so, to wrap this up. I begrudgingly think we should change the code to look something like:

$secure = $this->config->get('asset-pipeline::secure');                   
return app('url')->asset($path, $secure);

It appears to behave as originally intended and has the benefit of working with Laravel instead of against it. Personally, I think removing the protocol string makes good sense, but I don't like fighting with Laravel and I don't get the sense they're going to change the core functions any time soon (though several have suggested it).

As a compromise, perhaps the config could contain 'protocol' => null (default Laravel behavior) or 'protocol' => 'secure' (set secure to true) or 'protocol' => 'none' (strip the protocol). Or, we could add an additional config flag like 'strip_protocol' => true

Thoughts?

from asset-pipeline.

I'm not sure about a the best solution but here's a workaround that works:
Create a secure.php in your app's config folder and paste the following as its content

<?php
return true;

This should set the secure flag to true and make the asset pipeline server secure assets.

from asset-pipeline.