Very Computer

It appears that once secure URL is called (via https://...),
every URL that is called from within that original secure URL
automatically inherits encrypted (i.e. https://...) status if they
are coded as:

<a href="foo.html">foo</a> or <a href="/cgi-bin/foo.cgi">foo</a>.

Is there any way to force the above URLs to always revert to
a non-secure (i.e. http://...) connection short of calling a fully
qualified "http://www.foo.xxx://foo.html"? Thanks.

Server version: Apache/1.3.11 (Unix)

-mk

In general, not that I'm aware of. You could try using a <BASE> tag on
the document with the hyperlink, like
<BASE HREF="http://www.example.com/">, but that would also apply to
other references on the page, most notably the SRC attributes of <IMG>
tags. So you'd have to make other tags fully qualified, e.g.
<IMG SRC="https://www.example.com/foo.png" ALT="Foo">.

Another approach I have taken with Netscape's Enterprise server is to
make a file-not-found error handler function that redirects to a
different server. So the user initially requests
https://www.example.com/foo.cgi?bar and, the SSL server not having
such a URI, the client is redirected to
http://www.example.com/foo.cgi?bar. The biggest problem I've
encountered with that is that any "#" internal name refs in the
original link will be lost. (It's also a waste of bandwidth and SSL
server resources; you just have to balance that cost against the cost
of fixing the HREF's). I assume something similar is possible in
Apache; I've never had to try.

-Peter

--
http://www.bastille-linux.org/ : working towards more secure Linux systems

Quote:> It appears that once secure URL is called (via https://...),
> every URL that is called from within that original secure URL
> automatically inherits encrypted (i.e. https://...) status if they
> are coded as:

> <a href="foo.html">foo</a> or <a href="/cgi-bin/foo.cgi">foo</a>.

Of course.  This has nothing specifically to do with secure URLs, it's
a natural consequence of the rules for resolving relative URLs with
respect to the base URL of the document.

Quote:> Is there any way to force

Oh dear.  The standard answer to all such questions is "force does not
work on the WWW".  However, for once it's not that bad.

Quote:> the above URLs to always revert to
> a non-secure (i.e. http://...) connection short of calling a fully
> qualified "http://www.foo.xxx://foo.html"?

You can obviously specify a BASE tag in HTML.

But you might want to keep in mind that browsers tend to alert users
about leaving a secure site, which is understandable for security
reasons; so you could be causing them quite a lot of nuisance with
security alerts if you expect them to be entering and leaving the
secured server while browsing around.

As always, the use of a BASE tag can make page previewing inconvenient
(i.e prior to posting onto the actual server).  If you work in that
way, you might want to leave the BASE out until you're ready to
actually publish the page to the server.

Quote:> Server version: Apache/1.3.11 (Unix)

OK, it's good to provide as much relevant detail as possible when
posting questions.  But in this particular instance, it's a feature of
the protocols and of the behaviour of client browsers, so I don't
think your actual server makes any difference in this regard.