Remove "Https Redirect" global setting?

[abias]

Hi,

may I ask what's the purpose of the "Https Redirect" global setting of this module?

IMHO it's obsolete for websites running completely on HTTPS with a https:// URL set in $CFG->wwwroot.

Thanks,
Alex

[tjwelde]

I think more and more people are switching to HTTPS nowadays.
Nevertheless, if you want to provide the etherpadlite server only over https (so that no one can intercept the connection), with this setting Moodle also switches to HTTPS, so that the user won't get a "mixed mode" warning and feels secure.

[abias]

Hi Timo,

now I understand your intention. We should avoid mixed content at all means. However, I think you should think about the following things:

• Including HTTPS content in a HTTP website is no problem. You are only including more secure content into a less secure website, browsers don't care about that (please correct me if I'm wrong). So your example with a HTTPS Etherpad server and a HTTP Moodle is no technical problem.
• Including HTTP content in a HTTPS website is a problem. If you are including a HTTP Etherpad server into a HTTPS Moodle, users will get mixed content warnings. This could be checked in your plugin and could give a warning to the admin, but that's not what your code is about.
• Switching a HTTP Moodle to HTTPS is not as easy as adding a "s" to the URL's protocol part. You also have to make sure that the Moodle webserver responds on 443 and has a valid certificate installed. Your code does not deal with these questions.

Summing up, I would like to propose that you remove the code for $config->ssl completely and replace it with a clear and prominent explanation message on the settings page to notifiy the admin that he has to make sure that the protocols of Moodle and Etherpad match.

Thanks,
Alex