Prism Blog

Prism and mandatory HTTPS

Following the release of Prism on 21st November, we received customer feedback that there were issues with some components. We reverted the HTTPS only change on the evening of 22nd November.

The issues reported by our customers were:

  • Catalogue records not being pushed into Prism;
  • Talis Aspire integration no longer working in the browser;
  • Pages reporting mixed content (both HTTP and HTTPS resources).

Since then we have invesitagted each of these reported issues, with the following remedial action being required.

Catalogue records not being updated

We have amended our configuration such that the post of catalogue content functions correctly after we reapply the HTTPS changes.

There is no action required on customer systems.

Talis Aspire

We have spoken with Talis who confirmed that HTTPS is fully supported and available for all their customers when using the * URL to access their product. Talis confirmed that they do not support HTTPS where the customer has used their own hostname.

The action required by our customers is to amend the configuration of your Juice plugin to reference your Talis Aspire tenancy using the domain. This change is made within your Juice plugin configuration within your Prism theme through the Admin Console. Once this is done, the Juice plugin will function correctly using HTTPS.

Mixed mode content

Mixed mode content warnings appear in your web browser when you are on an HTTPS web site which refers to HTTP resources. When this occurrs within JavaScript, such as a Juice plugin, the JavaScript will follow security best practice and may refuse to access the insecure resource.

The end user will see a warning that they are accessing a mixed mode site.

This occurrs when there are HTTP accessed resources within your Prism theme. All resources should be accessed with protocol independent URLS, by omitting the “http:” from the URL. Doing this will ensure that the web browser uses the protocol that is listed within the address bar, HTTPS.

For example:

<img src="//"/>

Note, the “http:” has been removed, but the double “/” remains.

The action required by our customers is to preview this release by preceding your tenancy URL with ‘demo.’, like this:{your tenancy name}. If you have your own host name, you’ll need to use instead. You should check that you have been redirected to HTTPS, and your Prism content behaves correctly with no warnings. If there are warnings, these should be fixed in your theme through the Admin Console.

Next steps

Please be aware that Prism currently supports HTTPS for all live pages, and after a borrower has authenticated, they typically remain using HTTPS for the duration of their session. This means that if you have any of the above issues, they are currenly present in your LIVE Prism after a borrower has authenticated.

We will be disabling HTTP use for Prism from Monday 9th January. You should ensure that your Prism content works as expected using the ‘demo.’ URL for your tenancy, and make any required changes before this point.

Should you require any assistance, please raise a support case through the usual channels.

Leave a Reply