Content from 2015-08

Mixed content no more

posted on 2015-08-07

TBRSS is SSL-only, but many feeds are HTTP-only, and many of those feeds have images. In modern browsers, insecure assets – including images – generate mixed-content warnings, at varying levels of severity.

In the context of a feed reader, such warnings are useless. But as browsers are moving towards more secure defaults, it seems wise to fix it before it becomes a problem.

The basic technique is nothing new. You can read about the details in a Github blog post from 2010 – in short, insecure URLs are fetched through a secure proxy.

This is what TBRSS does, with one bandwidth-saving complication: we parse the rules from the HTTPS Everywhere extension and, when possible, directly re-write insecure URLs to their secure equivalents – in which case no proxy is needed.

Drakma, now with SNI

posted on 2015-08-05

A while ago, I was alerted by a blog post to the fact that Drakma, the HTTP client that TBRSS uses, did not support SNI.

At that time, I added support in both CL+SSL and Drakma for TBRSS’s own use, and made a pull request for CL+SSL, intending to make another pull request for Drakma once the first had been merged.

I am pleased to report that, after a long (but not unreasonable) delay, that second pull request has been made and merged, and stock Drakma can be used with SNI-enabled hosts.

This blog covers lisp, code


Unless otherwise credited all material copyright by Paul M. Rodriguez