Help

Roku Developer Program

Join our online forum to talk to Roku developers and fellow channel creators. Ask questions, share tips with the community, and find helpful resources.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
EnTerr
Roku Guru
‎05-07-2014 12:09 PM

http://owner.roku.com/X => httpS://owner.roku.com/X ?

I am bummed that subject length-limit prevented me from succinctly summarizing the issue. But here it is, in more words: the issue is that
http://owner.roku.com/SOMEPATH improperly redirects to https://owner.roku.com/ (the server root) and not to https://owner.roku.com/SOMEPATH

Motivation:
For adding "private channel" to a Roku, one has to ask people to go to a particular URL and type the code there. Or just to type a full URL with the channel codeword in it. Say my code is XYZZY, then i either should ask users "Go to https://owner.roku.com/add and enter access code XYZZY" or "Go to https://owner.roku.com/add/XYZZY". Both of these work quite well if this is already on the Web, i.e. if user is reading this in a browser and can just click on one of the URLs.

But not so if they have to type the URL from scratch, for example if the instructions are printed on paper or showing on TV screen, say TV ad spot or (non-clickable) mention in another Roku channel. People just don't pay attention to anything in URL before the "://" - they don't care what a "URI schema" is. Even if the URL was saying rtsp://owner.roku.com/add/XYZZY or tftp://owner.roku.com/add/XYZZY, they will just go to the browser, type there "owner.roku.com/add/XYZZY" and expect the magic to happen. And rightfully so, nobody wants to type extra 8 characters and since very long time (last century?) web browsers don't require the "http://" part, they assume it. But with the current behavior of "owner.roku.com/add" users will be re-directed to the "My Account" top page instead of seeing channel add dialog.

Discussion:
The current redirect http://owner.roku.com/* => https://owner.roku.com/ probably occurred as quick-and-dirty fix by the web server admin when RokuCo decided to switch the web service calls to httpS. I see owner.roku.com is using IIS, it will be trivial to fix the redirect there.

Suggested fix:
1. Make "http://" URLs for owner.roku.com properly re-direct to their "https://" counterparts (and not the root). Simple, quick and no un-intended consequences.
and/or
2. Add an even simpler, shorter way to add private channels, like say "roku.com/add" (through simple Apache re-direct from that to the proper https at owner.roku.com)
0 Kudos
Reply
6 REPLIES 6
BradC
Channel Surfer
‎05-07-2014 06:23 PM

Re: http://owner.roku.com/X => httpS://owner.roku.com/X ?

you sure? Seems like kind of a big security risk to automatically redirect any URL to the secure server.
♦MiniGolf♦HangMan♦Brain Puck♦Retro Tennis♦BORK♦FLIP♦Pathogen♦Pathogen 2♦Shut the Box♦Birdie♦Logic♦Dots♦Pool♦küglo♦Bubble Wrap♦Trivia Channel♦Mancala♦Air Hockey♦Weather♦CAMERA♦Your Photos Screensaver♦Desert Beauty Screensaver♦Wild Lakes Screensaver♦
0 Kudos
Reply
EnTerr
Roku Guru
‎05-07-2014 07:57 PM

Re: http://owner.roku.com/X => httpS://owner.roku.com/X ?

"BradC" wrote:
you sure? Seems like kind of a big security risk to automatically redirect any URL to the secure server.

Yes, I sure.
Am not offering to do something new but to straighten redirects. They already do the http->https redirect. So they already had to deal with potential vulnerabilities (like MitM attack). I see they use secure cookies. Nothing is done in http://owner space anyway, so there are no cookies transferable and MitMA does not apply. It's very clean setup actually, keeping everything under https and sweeping all incoming http to https outright.

That now sounds awfully technical, so maybe i should just say "I sure" and ask you if you have any specific concerns in mind?
0 Kudos
Reply
EnTerr
Roku Guru
‎05-20-2014 10:38 AM

Re: http://owner.roku.com/X => httpS://owner.roku.com/X ?

bump - question is towards Roku*?
0 Kudos
Reply
RokuJoel
Binge Watcher
‎05-20-2014 04:33 PM

Re: http://owner.roku.com/X => httpS://owner.roku.com/X ?

Seems like a good idea. I don't know if this qualifies as a bug or a feature request.

Joel
0 Kudos
Reply
EnTerr
Roku Guru
‎05-20-2014 06:19 PM

Re: http://owner.roku.com/X => httpS://owner.roku.com/X ?

"RokuJoel" wrote:
Seems like a good idea. I don't know if this qualifies as a bug or a feature request.

Well that depends... labeling it which way has better odds of getting it fixed in my lifetime? 🙂

My point is, to have a short URL that can be advertised - something easy to type in address bar, the shorter - the better. E.g. "owner.roku.com/add/myChannel" is passable - but requiring 8 more characters ("https://") is too much. Even better would be if there was shorter way, like "roku.com/add/myChannel" or "add.roku.com/myChannel" but that feels asking too much. Hence i ask for something simpler, just to fix HTTP->HTTPS redirect for owner.roku.com
0 Kudos
Reply
EnTerr
Roku Guru
‎04-28-2016 01:38 AM

Re: http://owner.roku.com/X => httpS://owner.roku.com/X ?

Woo-hoo, my prayers from 2 years ago have been answered! This redirection now works (including a login if necessary)::
://my.roku.com/add/FOOBAR --> https://...

So, now one could advertise access code in print with simply "my.roku.com/add/FOOBAR" - and when typed in a browser it will redirected and expanded to "https://my.roku.com/account/add?channel=FOOBAR". Good stuff.
0 Kudos
Reply