Use webcals URI scheme when accessing via HTTPS (PFS directive)

[Somebodyisnobody]

Steps to reproduce

1. Create and share a calendar
2. Open shared calendar
3. Click right on "subscribe" to copy the link of the button and paste it somewhere to take a look on it.

Expected behaviour

Nextcloud applies PFS to the webcal-link and forms it into an webcals-link

Actual behaviour

If i access via TLS the subscribtion link is still webcal://

I cannot find an offical URI scheme but all of my clients does support the webcals://-sheme
Some examples:

• CalDAV for Android
• WebcalSync
• Thunderbird (acc. to serverlog)
• Outlook (acc. to serverlog)

@georgehrke said in nextcloud/server#8039 (comment)

What the calendar app does for webcal is the following: try https, if that fails, fall back to http. And that's pretty much what I expect from any other webcal client.

I tested that with Outlook:
My server is running on TLS at port 444 (DNAT because of internal routes), so my scheme is webcals://my.domain:444/remote.php/dav/.....

• If i enter webcal://my.domain:444/remote.php/dav/..... Outlook just does nothing, webserver logs "400 (Bad request)"
• If i enter the webcals:// version Outlook wizard continues.

So in fact what Georg expects from other webcal clients isn't what other developers think... 😯 😞
Considering the unofficial support of "webcals://" and the Outlook-test it would be appropriate to apply PFS accordingly and use webcals:// when accessing via HTTPS.

Server configuration

Web server: nginx

Database: mysql

PHP version: 7.2

Server version: 13

Calendar version: 1.6.0

Updated from an older installed version or fresh install: updated

Are you using external storage, if yes which one: local

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: newest FF

CalDAV-clients: Thunderbird, WebcalSync, CalDAV and infrequently Outlook

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[georgehrke]

PFS = Perfect forward secrecy?

[georgehrke]

• but that also means that we have to support webcals ourselves

[Somebodyisnobody]

#748 (comment)

Yeah i meant Perfect forward secrecy.

[arunikayadav42]

Can I please get started with working on this issue?

[Somebodyisnobody]

Sorry for the stupid question but what are you waiting for (or who's asked)?

[arunikayadav42]

could you please help me get started with the same please :)

[Somebodyisnobody]

how could I help you? I can partially read PHP but otherwise I'm more of a logic person.
How can we both work on a snippet of code?

[arunikayadav42]

Like please tell me what file contains the bug :)

[georgehrke]

You can just search the code for webcal://. That should lead you to the correct file.

I‘m not sure whether this issue is in a php or a JavaScript file.

[Somebodyisnobody]

Ok i searched in the rep for "webcal" and in my browser for "webcal://"
Seems that calendar/js/app/utility/webcalUtility.js is just for importing calendars into nextcloud. It replaces webcal:// to https:// like @georgehrke said.

But i found something by searching for "subscribe" that is written in php:

calendar/templates/public.php

Lines 12 to 15 in 17e6951

	<div id="header-right" class="header-right">
	<a href="<?php p($_['webcalURL']); ?>" id="download" class="button">
	<span class="icon icon-public"></span>
	<span id="download-text"><?php p($l->t('Subscribe'))?></span>

<?php p($_['webcalURL']); ?>" is interesting. Again, i could be wrong, i am not a programmer!

Maybe this is an approach for you.

[arunikayadav42]

cool @Somebodyisnobody I will look into it :)

[Somebodyisnobody]

@arunikayadav42 do you have news for us?

[Somebodyisnobody]

"webcalURL" is defined in

calendar/controller/viewcontroller.php

Line 226 in 28dc8bf

$webcalUrl = 'webcal://' . substr($downloadUrl, $protocolLength);

[arunikayadav42]

I am still looking into the same.Need two more days please due to some technical glitches :)

[georgehrke]

This has been fixed in #926

https://github.com/nextcloud/calendar/blob/master/src/components/AppNavigation/CalendarList/PublicCalendarListItem.vue#L154L159