From 41dc366de1c480df64ea49375405b942e89e1aad Mon Sep 17 00:00:00 2001
From: Cedric Ziel <cedric@cedric-ziel.com>
Date: Sat, 8 Aug 2015 19:46:25 +0200
Subject: [PATCH 1/1] [FEATURE] Use HTTPS urls on all jquery cdns
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

This change also adds cloudflares cdnjs as possible choice.

Allowing the request over HTTP opens the door for side attacks.
It’s always safe to request HTTPS assets even if your site is on
HTTP, however the reverse is not true.

Most CDNs recommend using HTTPS to request the assets now, see
https://developers.google.com/speed/libraries/?csw=1

Releases: master
Resolves: #68871
Change-Id: I5af913d664b4e6e02238a8d5320a87349019eaa6
Reviewed-on: http://review.typo3.org/42422
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Reviewed-by: Göran Bodenschatz <coding@46halbe.de>
Reviewed-by: Cedric Ziel <cedric@cedric-ziel.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Jan Helke <typo3@helke.de>
Tested-by: Jan Helke <typo3@helke.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
---
 typo3/sysext/core/Classes/Page/PageRenderer.php | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/typo3/sysext/core/Classes/Page/PageRenderer.php b/typo3/sysext/core/Classes/Page/PageRenderer.php
index 2de30209928a..f8609d93eda3 100644
--- a/typo3/sysext/core/Classes/Page/PageRenderer.php
+++ b/typo3/sysext/core/Classes/Page/PageRenderer.php
@@ -289,10 +289,10 @@ class PageRenderer implements \TYPO3\CMS\Core\SingletonInterface {
 	 *
 	 * The type "source" describes where the jQuery core should be included from
 	 * currently, TYPO3 supports "local" (make use of jQuery path), "google",
-	 * "jquery" and "msn".
-	 * Currently there are downsides to "local" and "jquery", as "local" only
-	 * supports the latest/shipped jQuery core out of the box, and
-	 * "jquery" does not have SSL support.
+	 * "jquery", "msn" and "cloudflare".
+	 *
+	 * Currently there are downsides to "local" which supports only the latest/shipped
+	 * jQuery core out of the box.
 	 *
 	 * @var array
 	 */
@@ -313,9 +313,10 @@ class PageRenderer implements \TYPO3\CMS\Core\SingletonInterface {
 	 * @var array
 	 */
 	protected $jQueryCdnUrls = array(
-		'google' => '//ajax.googleapis.com/ajax/libs/jquery/%1$s/jquery%2$s.js',
-		'msn' => '//ajax.aspnetcdn.com/ajax/jQuery/jquery-%1$s%2$s.js',
-		'jquery' => 'http://code.jquery.com/jquery-%1$s%2$s.js'
+		'google' => 'https://ajax.googleapis.com/ajax/libs/jquery/%1$s/jquery%2$s.js',
+		'msn' => 'https://ajax.aspnetcdn.com/ajax/jQuery/jquery-%1$s%2$s.js',
+		'jquery' => 'https://code.jquery.com/jquery-%1$s%2$s.js',
+		'cloudflare' => 'https://cdnjs.cloudflare.com/ajax/libs/jquery/%1$s/jquery%2$s.js'
 	);
 
 	/**
-- 
2.20.1