web: enforce https (SSL) requirement

fixes https://console.cloud.google.com/errors/detail/CP2isf7noqyZjAE;time=P30D?project=bridgy-federated . thanks for finding @tantek!

tests/test_web.py

@@ -581,7 +581,12 @@ class WebTest(TestCase):
     def test_bad_source_url(self, *mocks):
         orig_count = Object.query().count()
 
-        for data in b'', {'source': 'bad'}, {'source': 'https://'}:
+        for data in [
+                b'',
+                {'source': 'bad'},
+                {'source': 'https://'},
+                {'source': 'http://user.com/not/https'},
+        ]:
             got = self.post('/webmention', data=data)
             self.assertEqual(400, got.status_code)
             self.assertEqual(orig_count, Object.query().count())

web.py

@@ -571,6 +571,8 @@ def webmention_external():
     source = flask_util.get_required_param('source').strip()
     if not util.is_web(source):
         error(f'Bad URL {source}')
+    elif urlparse(source).scheme != 'https':
+        error('source URLs must be https (with SSL)')
 
     domain = util.domain_from_link(source, minimize=False)
     if not domain: