Show insecure login warning when not in a secure context

Secure contexts are a more robust way of checking that a browsing context is authenticated and confidential. Compared to comparing the scheme this covers cases where the connection is encrypted, but using a broken algorithm. Notably, localhost is considered a secure context, even over HTTP. For more detail on secure contexts, see: https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts
2025-10-12 12:33:02 +00:00 · 2024-07-23 11:19:16 +01:00
parent 0cd5e51dd4
commit 0c20f3e867
1 changed files with 1 additions and 1 deletions
--- a/share/jupyterhub/templates/login.html
+++ b/share/jupyterhub/templates/login.html
@@ -91,7 +91,7 @@
 {% block script %}
  {{ super() }}
  <script>
-    if (window.location.protocol === "http:") {
+    if (!window.isSecureContext) {
      // unhide http warning
      var warning = document.getElementById('insecure-login-warning');
      warning.className = warning.className.replace(/\bhidden\b/, '');