From ddf5728c76b37815cb8d5b5fc45845ae42ac8267 Mon Sep 17 00:00:00 2001
From: Antoine Martin <totaam@xpra.org>
Date: Thu, 17 Nov 2016 13:39:24 +0000
Subject: [PATCH] #1341: * allow xor digest over ssl * hide insecure password
 option when using ssl (irrelevant) * move insecure password option near
 password, disable password field if not checked

git-svn-id: https://xpra.org/svn/Xpra/trunk@14437 3bb7dfac-3a0b-4e04-842a-767bc560f471
---
 src/html5/connect.html | 20 ++++++++++++++++----
 src/html5/index.html   |  3 ++-
 src/html5/js/Client.js |  2 +-
 3 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/src/html5/connect.html b/src/html5/connect.html
index c9842221ce..8e51e52b03 100644
--- a/src/html5/connect.html
+++ b/src/html5/connect.html
@@ -53,6 +53,10 @@ <h2 class="form-signin-heading">Xpra HTML5 Client</h2>
 			<label class="sr-only" for="password">Password</label>
 			<input title="Password" type="password" class="form-control" id="password" placeholder="Password" size="16" maxlength="256">
 			<br>
+			<div class="password-warning-box">
+			  	<input type="checkbox" id="insecure"> <span>Insecure plain-text passwords</span>
+			</div>
+
 			<div class="panel-group">
 			  <ul class="list-style-none action">
 				<li><input type="radio" name="action" class="radiobox" value="connect" id="action_connect" checked="checked"> Connect</li>
@@ -208,9 +212,6 @@ <h4 class="panel-title">Advanced options</h4>
 				  <li class="list-group-item">
 				  	<input type="checkbox" id="debug"> <span>Debugging</span>
 				  </li>
-				  <li class="list-group-item">
-				  	<input type="checkbox" id="insecure"> <span>Insecure passwords - Dangerous!</span>
-				  </li>
 				</ul>
 			  </div>
 			</div>
@@ -319,6 +320,7 @@ <h4 class="panel-title">Advanced options</h4>
 
 $(document).ready(function() {
 
+	var ssl = document.location.protocol=="https:";
 	var disconnect_reason = window.location.getParameter("disconnect") || null;
 
 	if(disconnect_reason) {
@@ -334,6 +336,16 @@ <h4 class="panel-title">Advanced options</h4>
 	document.getElementById("port").value = link.port;
 	var username = window.location.getParameter("username") || "";
 	document.getElementById("username").value = username;
+	if(ssl) {
+	   	$('div.password-warning-box').hide();
+	}
+	else {
+	   	$('input#password').prop("disabled", true);
+		var insecure_input = document.getElementById("insecure");
+		insecure_input.onchange = function() {
+   			$('input#password').prop("disabled", !insecure_input.checked);
+		};
+	}
 
 	var action = getparam("action") || "";
 	if(action=="shadow") {
@@ -364,7 +376,7 @@ <h4 class="panel-title">Advanced options</h4>
 		set_exit_actions(action=="connect");
 	}
 	$(document).on('click', '[name="action"]', on_action_change);
-	$('input:radio[value='+action+']').click();
+	$('input:radio[value="'+action+'"]').click();
 
 	var encoding = getparam("encoding") || "jpeg";
 	document.getElementById('encoding').value = encoding;
diff --git a/src/html5/index.html b/src/html5/index.html
index 866e9416da..ec7f19e204 100644
--- a/src/html5/index.html
+++ b/src/html5/index.html
@@ -236,7 +236,8 @@
 			    client.init();
 
 			    // and connect
-			    client.connect(server, port, false);
+			    var ssl = document.location.protocol=="https:";
+			    client.connect(server, port, ssl);
 
 			    // attach a callback for paste on the screen
 				$('#pasteboard').on('paste', function (e) {
diff --git a/src/html5/js/Client.js b/src/html5/js/Client.js
index fbc214daa4..0fb341e613 100644
--- a/src/html5/js/Client.js
+++ b/src/html5/js/Client.js
@@ -1252,7 +1252,7 @@ XpraClient.prototype._process_challenge = function(packet, ctx) {
 		hmac.update(salt);
 		challenge_response = hmac.digest().toHex();
 	} else if (digest == "xor") {
-		if((!ctx.encryption) && (!ctx.insecure) && (ctx.host!="localhost") && (ctx.host!="127.0.0.1")) {
+		if((!ctx.ssl) && (!ctx.encryption) && (!ctx.insecure) && (ctx.host!="localhost") && (ctx.host!="127.0.0.1")) {
 			ctx.callback_close("server requested digest xor, cowardly refusing to use it without encryption with "+ctx.host);
 			return;
 		}