From 0c20f3e8678a9d14f5c438f73c3e44133db90711 Mon Sep 17 00:00:00 2001
From: James Frost <james.frost@metoffice.gov.uk>
Date: Tue, 23 Jul 2024 11:19:16 +0100
Subject: [PATCH] Show insecure login warning when not in a secure context

Secure contexts are a more robust way of checking that a browsing context
is authenticated and confidential. Compared to comparing the scheme this
covers cases where the connection is encrypted, but using a broken algorithm.

Notably, localhost is considered a secure context, even over HTTP.

For more detail on secure contexts, see:
https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts
---
 share/jupyterhub/templates/login.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/share/jupyterhub/templates/login.html b/share/jupyterhub/templates/login.html
index 8c8e83bd..23165308 100644
--- a/share/jupyterhub/templates/login.html
+++ b/share/jupyterhub/templates/login.html
@@ -91,7 +91,7 @@
 {% block script %}
   {{ super() }}
   <script>
-    if (window.location.protocol === "http:") {
+    if (!window.isSecureContext) {
       // unhide http warning
       var warning = document.getElementById('insecure-login-warning');
       warning.className = warning.className.replace(/\bhidden\b/, '');