HTTPS enforcement, URLs consumed from other sources

87
2
Jump to solution
a week ago
Labels (1)
Highlighted
Occasional Contributor III

Hi, apologies if this has been asked already.  I have AGOL hosted web applications that consume URLs from other organizations.  With the upcoming switch to https, will http URLs from elsewhere cause the Esri web app to not function correctly.  For example, I have this URL (http://sites.udel.edu/parking/permit-info/) in the Parking Locator web application as a link to information on another organization's website.  Will this example, and others like it, cause our web apps to not function properly?  My concern is if the other organizations serving information are not migrating their URLs to https, will we see the consequences.  Many thanks in advance.  Regards, Jay

Reply
0 Kudos
1 Solution

Accepted Solutions
Highlighted
Esri Contributor

Hi Jay Hodny,

From this technical article:

https://support.esri.com/en/technical-article/000022877

Any items added to ArcGIS Online from links external to the ArcGIS platform with HTTP only URLs will be inaccessible via a browser due to mixed-content conflicts. This includes:

  1. links in the item details
  2. popups, etc.

While we've entered a HTTP reference, the link provided does have HTTPS:
https://sites.udel.edu/parking/permit-info/

Testing in an ArcGIS Online organization with HTTPS Only enforced, Chrome switched to using the HTTPS connection when clicked. Tested the Item Details and a Web AppBuilder title link.
If the external site did not have HTTPS the link would be inaccessible. 
I'd suggest updating to HTTPS references where possible. 

I'd suggest browsing through the Technical Article linked above and:

  1. With an administrator account, check your ArcGIS Online organization settings to see if HTTPS Only is already enforced in the (enabling it will be an option if it isn't; if you see no option it means HTTPS Only is already enabled).
    If you have it enabled already, it won't be enforced on Dec 8 - it'll already be enforced for your organization, and any HTTP issues should be manifesting already 
  2. Use the Security Advisor tools to check for HTTP references that may result in issues.
    This is applicable for organizations that have already enforced HTTPS, that may have remnant references.

Yes, if the third party does not support HTTPS, this could potentially cause issues.
For example, I saw an ArcGIS Server service provider not have HTTPS - preventing ArcGIS Online users from adding their services to Web Maps. Most organizations should already support, or be moving towards supporting HTTPS.

Additional info:

Cheers,

Chris

View solution in original post

2 Replies
Highlighted
Esri Contributor

Hi Jay Hodny,

From this technical article:

https://support.esri.com/en/technical-article/000022877

Any items added to ArcGIS Online from links external to the ArcGIS platform with HTTP only URLs will be inaccessible via a browser due to mixed-content conflicts. This includes:

  1. links in the item details
  2. popups, etc.

While we've entered a HTTP reference, the link provided does have HTTPS:
https://sites.udel.edu/parking/permit-info/

Testing in an ArcGIS Online organization with HTTPS Only enforced, Chrome switched to using the HTTPS connection when clicked. Tested the Item Details and a Web AppBuilder title link.
If the external site did not have HTTPS the link would be inaccessible. 
I'd suggest updating to HTTPS references where possible. 

I'd suggest browsing through the Technical Article linked above and:

  1. With an administrator account, check your ArcGIS Online organization settings to see if HTTPS Only is already enforced in the (enabling it will be an option if it isn't; if you see no option it means HTTPS Only is already enabled).
    If you have it enabled already, it won't be enforced on Dec 8 - it'll already be enforced for your organization, and any HTTP issues should be manifesting already 
  2. Use the Security Advisor tools to check for HTTP references that may result in issues.
    This is applicable for organizations that have already enforced HTTPS, that may have remnant references.

Yes, if the third party does not support HTTPS, this could potentially cause issues.
For example, I saw an ArcGIS Server service provider not have HTTPS - preventing ArcGIS Online users from adding their services to Web Maps. Most organizations should already support, or be moving towards supporting HTTPS.

Additional info:

Cheers,

Chris

View solution in original post

Highlighted
Occasional Contributor III

Excellent Chris, thank you!

Reply
0 Kudos