Stream: IG creation
Topic: Redirect to secure hl7 page
Laxmi Singh (Jun 22 2021 at 13:19):
Below is the screenshot of terminology Bindings table which gets displayed by default on each resource page.
image.png
Under the conformance If you click on any Binding strength value , eg: 'extensible' and it will redirect to "http://hl7.org/fhir/R4/terminologies.html#extensible" . Please notice it redirects to 'http' NOT 'https' . My requirement is to redirect it to https . How can this be achieved as 'http' is insecure . Similar issue happens when I click on codeSystem/ValueSet link from Terminology table. As this table comes by default, I am not sure how to edit anything inside this table.
Eric Haas (Jun 23 2021 at 05:19):
this base path "http://hl7.org/fhir/R4/", is generated by the ig-publisher for all the fhir artifacts and cannot (as far as I can tell) be modified. However, if your are publishing locally and not using the autobuilder you could try a find and replace in the output file as a post ig-publisher step.
Laxmi Singh (Jun 23 2021 at 05:25):
I am running Publish.bat file to create IG . My IG is embedded into my company's URL which is https , so when I am clicking on any HL7 FHIR link which is redirecting to 'http://hl7.org/fhir/R4/' it is unable to open in the same view.
image.png
Laxmi Singh (Jun 23 2021 at 07:00):
@Jose Costa Teixeira You have any suggestions? Is there a way to do it. ?
Eric Haas (Jun 23 2021 at 07:19):
....so why not do a find "http://hl7.org/fhir/R4/", and replace "https://hl7.org/fhir/R4/" of the static html files in the output folder...
Grahame Grieve (Jun 23 2021 at 07:23):
well, this is something I should solve, but I'm not sure how simple it will be to solve. The url comes from the packages, and these are immutable .
Laxmi Singh (Jun 23 2021 at 10:38):
@Grahame Grieve Please take this into consideration so that FHIR url's are HTTPS instead of HTTP.
Grahame Grieve (Jun 24 2021 at 01:50):
this turns out to be a drama. For some reason I can't see, the external link gets added to all fhir links if I change the url from http://hl7.org/fhir to https://hl7.org/fhir. I can't see why that happens
Grahame Grieve (Jun 24 2021 at 01:50):
I think it's a stylesheet thing, but I can't see why the stylesheet doesn't add it for http://hl7.org/fhir
Eric Haas (Jun 24 2021 at 01:53):
Are both http://hl7.org/fhir and https://hl7.org/fhir coded in as liquid variables or hardcoded strings or one of each?
Eric Haas (Jun 24 2021 at 01:54):
(deleted)
Eric Haas (Jun 24 2021 at 01:55):
(deleted)
Eric Haas (Jun 24 2021 at 01:58):
(deleted)
Grahame Grieve (Jun 24 2021 at 05:06):
it has nothing to do with liquid.
Laxmi Singh (Jul 01 2021 at 06:54):
Is there any plan to include this change in future ? I will make changes in my product accordingly.
Grahame Grieve (Jul 01 2021 at 08:36):
no one has tried to solve the stylesheet problem, so I haven't turned secure links on in the code
Eric Haas (Jul 01 2021 at 15:53):
Grahame Grieve said:
this turns out to be a drama. For some reason I can't see, the external link gets added to all fhir links if I change the url from http://hl7.org/fhir to https://hl7.org/fhir. I can't see why that happens
are you referring to this?
image.png
Grahame Grieve (Jul 01 2021 at 19:20):
yes. if the links to hl7.org/fhir change to https://, all of them get that link, and they do not if they are just http://, and I couldn't figure out why the difference.
Eric Haas (Jul 01 2021 at 21:47):
here is the CSS: ~/template/content/assets/css/project.css
/* =========== external links ============= */
p a[href^="http://"]:not([no-external^="true"]):after, a[href^="https://"]:not([no-external^="true"]):after {
content: url(../images/external.png);
display: inline-block;
text-decoration: none;
padding-left: 3px;
}
li a[href^="http://"]:not([no-external^="true"]):after, a[href^="https://"]:not([no-external^="true"]):after {
content: url(../images/external.png);
display: inline-block;
text-decoration: none;
padding-left: 3px;
}
Eric Haas (Jul 01 2021 at 21:48):
and it should get applied equally to both as it does in the pages: for example here:
Grahame Grieve (Jul 01 2021 at 21:56):
Grahame Grieve (Jul 01 2021 at 21:57):
if I change the links to https:// then all the links to FHIR in this table get the external link indicator provided.
Grahame Grieve (Jul 01 2021 at 21:57):
there's other places it happens too
Eric Haas (Jul 01 2021 at 21:59):
it is happening for http too and it should not since css nly for p and li nodes:
Eric Haas (Jul 01 2021 at 21:59):
(us core latest)
Grahame Grieve (Jul 01 2021 at 22:00):
i think that no references to hl7.org/fhir should be marked as external. Perhaps we should make that explicit in the css?
Eric Haas (Jul 01 2021 at 22:07):
One of the reasons they are added is it can be confusing to the reader when they click on a link and don't realize that they are outside the spec since the igs look very similar to the fhir spec.
Eric Haas (Jul 01 2021 at 22:08):
my example above of birth sex actually is actually a https link. let me investigate the css a little more
Eric Haas (Jul 01 2021 at 22:44):
ok I think this will fix it:
/* =========== external links ============= */
p a[href^="http://"]:not([no-external^="true"]):after, p a[href^="https://"]:not([no-external^="true"]):after {
content: url(../images/external.png);
display: inline-block;
text-decoration: none;
padding-left: 3px;
}
li a[href^="http://"]:not([no-external^="true"]):after, li a[href^="https://"]:not([no-external^="true"]):after {
content: url(../images/external.png);
display: inline-block;
text-decoration: none;
padding-left: 3px;
}
Eric Haas (Jul 01 2021 at 22:45):
Eric Haas (Jul 01 2021 at 22:45):
let me check if css is kosher first
Eric Haas (Jul 01 2021 at 22:51):
the original css would apply to any p or li element with href starting with 'http" and and any element starting with "https" so that is why.
Eric Haas (Jul 01 2021 at 22:52):
I will make a PR to the base template as a technical correction @Lloyd McKenzie ?
Lloyd McKenzie (Jul 02 2021 at 15:42):
Merged
Laxmi Singh (Jul 06 2021 at 11:53):
@Grahame Grieve @Lloyd McKenzie As the CSS changed is merged, did we turn on secure links ?
Lloyd McKenzie (Jul 06 2021 at 15:13):
What do you mean by "secure links"?
John Moehrke (Jul 06 2021 at 18:51):
https vs http.... crossing the boundary is a violation.
Lloyd McKenzie (Jul 06 2021 at 18:54):
Within IGs, there are almost certainly going to be mixed links. We can't guarantee that all targets will support https and we're referencing things across a wide variety of locations.
John Moehrke (Jul 06 2021 at 20:00):
security is hard work. the biggest problem I have seen in IGs is the calling upon javascript on another site using different security. I handled this in IHE by just moving those .js over to the IHE site, and using referential links rather than absolute.
Lloyd McKenzie (Jul 06 2021 at 20:44):
It's not a question of hard work here, it's a question of what's in our control - and how other people host things we need to reference isn't in our control.
Eric Haas (Jul 06 2021 at 20:49):
if one reads the entire thread, the commenter was unable to use the default path "http://hl7.org/fhir/R4/" ( using the site variable {{site.data.fhir.path}} ), and wanted to replace with "https://hl7.org/fhir/R4/". An editor is free to use either https or http, but the templated links are out their control.
Eric Haas (Jul 06 2021 at 20:51):
hence the bug in the css causing a rendering issue due to a proliferation of external link icons. That is now fixed, and I don't think there is anything technical standing in the way of making the change.
Grahame Grieve (Jul 13 2021 at 20:11):
@Mark Iantorno there's a global switch for this, with a parameter that defaults to false. Now that I'm on the road, I forget the details. Let me know if you can't find it
Mark Iantorno (Jul 13 2021 at 20:11):
I will look
Grahame Grieve (Jul 13 2021 at 20:15):
also in /org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/npm/PackageHacker.java, see useSecureReferences
Mark Iantorno (Jul 14 2021 at 13:38):
Alright I see it and can make the change. It doesn't look like the variable is actually ever set in the publisher?
Mark Iantorno (Jul 14 2021 at 13:39):
I searched for all references to the PackageHacker class
Mark Iantorno (Jul 14 2021 at 13:39):
Mark Iantorno (Jul 14 2021 at 13:39):
So, am I right in assuming that changing the default useSecureReferences = false will result in it just being true for all publishing?
Mark Iantorno (Jul 14 2021 at 13:40):
Should I provide users with some kind of choice for this in the publication process?
Mark Iantorno (Jul 14 2021 at 13:41):
For now, I'm going to make the change to the default value, setting it to true, and open a PR, then when I get the go/nogo I can either merge it quickly to resolve the issue, or add some further configuration.
Mark Iantorno (Jul 14 2021 at 13:45):
https://github.com/hapifhir/org.hl7.fhir.core/pull/558
Mark Iantorno (Jul 14 2021 at 13:45):
Pull Request is there
Last updated: Apr 12 2022 at 19:14 UTC
