overpass-turbo
overpass-turbo copied to clipboard
tyrasd
Redirect to HTTPS
It is needed, not only because you need it, but also because mayor browsers stopped/will stop supporting geolocation when not using HTTPS.
So finally redirect to HTTPS, and use HSTS.
That means that you cannot use an Overpass API server which supports HTTP only anymore, which is a clear no go imho.
Let the user decide to use HTTP or HTTPS, or simply disable the "Go to my location" button, if called via HTTP. Most users probably don't need this feature anyway.
That means that you cannot use an Overpass API server which supports HTTP only anymore, which is a clear no go imho.
Are you sure? This will result in a mixed content warning, but not an abort IMO.
In Chrome you see an error along with an icon "This is trying to load scripts from unauthenticated sources", which you have to acknowledge first. Firefox also doesn't like loading http via XHR and you get an error popup.
Compatibility with old applications is a thing, indeed, altghough all applications should handle redirects correctly. However, you have to redirect users to HTTPS and you also have to allow applications to connect via HTTP.
E.g. only redirect user-facing sites (even if that would only be the home page) or do UA sniffing or only redirect API subdirs or so... Combined with HSTS (which most API using applications will BTW ignore it mostly) this is still secure.
@rugk: overpass turbo web fronted and overpass api backend are on completely different domains. Not sure how your statement applies here. It's a valid scenario to run an overpass server with http only.
Ahh so then it is even easier. Use HTTP/HTTPS for API domain and HTTPS-only for user-facing things.
BTW, because I think you are talking about different things here: Of course, I only mean the official server/website. When someone self-hosts the server, he/she can of course do whatever they want.
Use HTTP/HTTPS for API domain and HTTPS-only for user-facing things.
As I mentioned before this doesn't work. Calling the api in Cors mode and http from a site that is being served via https is blocked by different browsers, and I don't see how this would change with HSTS.
I'm having a really hard time to find out what you're trying to say, please try Overpass turbo for yourself and come up with more concrete proposals that are relevant for the application at hand.
Of course you need to allow https in the api. And as said, if of uses a different server then this does not apply. (I'm just talking about the usual website visitor, this use does not use a different server) Just as it is currently, you already can use https on the website, so now just make it mandatory/redirect.
I'm just talking about the usual website visitor, this use does not use a different server
If the main instance "overpass-api.de" is down for whatever reason, you want to switch to a different server in "Settings -> Server", e.g. use http://overpass.osm.rambler.ru/cgi/
With your proposal to automatically switch to https, you cannot use overpass turbo at all in that case, because all those http only API servers are no longer usable. Again, not all API servers support https, and people do want to be able to switch to another server if needed.
Okay, I see. But you could still redirect the user, when the main site is visited.
Or maybe better idea:Make a legacy subdomain (http.overpass-api.org), which uses HTTPS and allows to use these legacy servers, but redirect the main website to HTTPS.
Or maybe better idea:Make a legacy subdomain (http.overpass-api.org), which uses HTTPS and allows to use these legacy servers, but redirect the main website to HTTPS.
Oh, well, there isn't even a domain overpass-api.org to start with, and you seem to be mixing up Overpass Turbo and Overpass API. What you meant is probably something like "have a subdomain http.overpass-turbo.eu, which uses HTTP"?
Indeed, the API domain should stay compatible of course, and in this way it does not need to change.
BTW I am also talking about the share dialog. This also always gives HTTP links. It should, however, (especially when the site is accessed via HTTPS) give HTTPS links.
Yet there is another link: The shortlinks generated when sharing a query can also be accessed via HTTPS, but they always redirect to the HTTP version…
I'm wondering if overpass-turbo keeps any trace of what overpass servers the users are using? It's all done client-side, isn't it? Otherwise we could see how big of an issue http-only API servers really are.
It's all done client-side, isn't it?
Yep. I have no information about which overpass servers users are actually using how often.
@rugk:
The shortlinks generated when sharing a query can also be accessed via HTTPS, but they always redirect to the HTTP version…
This was a bug that should be fixed now. :blush:
Not sure if you are aware, but Chrome now blocks getting the location on http://overpass-turbo.eu/#, effectively breaking an important part of the program.
@carstenhag: oh well, that's not really news. It's been that way since Chrome 50, or more specifically since April 20 2016
If you have compatibility issues in mind, why not simply show a popup that shows a "Use the https link for location to work!" text?
I'd still argue for having a "http.overpass-turbo.eu" domain, which can be accessed via HTTP and the default one just uses HTTPS. As the default Overpass-API server supports HTTPS and, I guess, 70% of all users do not use a different server (many – as I initially – likely won't even know it is possible). So using HTTPS by default (even with HSTS – without includeSubdomains of course) is possible.
@carstenhag: You're right, the geolocation feature should be disabled/hidden in http, or explained why it doesn't work! (patches welcome :blush:)
@rugk Besides not all Overpass-API instances supporting https, another important issue preventing the switch over to https (with HSTS enabled) is that people might have queries (or other settings) saved in their browser's local storage which they would like to keep. As far as I know there is no way to access the contents from a site's http local storage when being on https (same as with a different subdomain). Not sure what the best practice would be for such as case, but I'm leaning towards @mmd-osm's initial comment: Let the user decide to use HTTP or HTTPS :thinking:
Please, enable HSTS. The website does not work well via HTTP because some CDNs blocked in Russia, but it's work fine via HTTPS.
As for data migration I only found: https://stackoverflow.com/questions/46509174/migrate-localstorage-data-from-http-to-https
Otherwise you maybe just need a "export" and "import" feature for the user. That may also generally be a nice thing, so users could move to a diffrent instance of overpass-turbo (if such a thing exists).
just need a "export" and "import" feature
This wouldn't actually solve the issue since after enabling HSTS, one couldn't access the http-version anymore to export the queries from.
Yeah obviously you may have some "migration time" (some months or so), where users can export and import their stuff. In that time, you can already enable the HTTPS redirect, just not HSTS, so users can export it. Also possibly add a notice so users know what to do.
What is sure is that the HTTP version is no longer useful and sooner or later you have to migrate. Geolocation is already prevented…