ClearFoundation Tracker - ClearOS
View Issue Details
0001822ClearOSapp-zarafa-community - Zarafapublic2014-06-25 16:392014-06-26 09:52
marclaporte 
 
normalminoralways
confirmedopen 
 
 
0001822: Zarafa: force https use for all data & related security enhancements
1- Zarafa webapp and webaccess should not be accessible in http, but only in https
visiting http://example.org/webapp/ [^] or http://example.org/webaccess/ [^] should redirect to https

RequireSSL & php_flag session.cookie_secure and some other great tips here:
https://community.zarafa.com/pg/blog/read/16779/securing-webapp [^]


2- It should be possible to deactivate any calls to different domains.

On https://example.org/webapp/, [^] Firefox reports "Firefox has blocked content that isn't secure" as per https://support.mozilla.org/en-US/kb/how-does-content-isnt-secure-affect-my-safety [^]

Ex.: When clicking on "Feedback?", a script from http://jira.zarafa.com/ [^] is loaded.
http://www.zarafa.com/content/zarafa-privacy-policy#webapp-feedback [^]
https://community.zarafa.com/pg/blog/read/15005/webapp-the-feedback-plugin [^]
a) There should be an option in https://example.org:81/app/zarafa_community [^] to turn it off
b) It should be in https instead of http


Related: http://tracker.clearfoundation.com/view.php?id=995 [^]
No tags attached.
Issue History
2014-06-25 16:39marclaporteNew Issue
2014-06-26 09:52user2Statusnew => confirmed

There are no notes attached to this issue.