Jump to content
Due to the significant updates that have taken place, you now need to login with your display name or e-mail address, NOT your login name. ×
Due to posts that are 5+ years old being rebuilt, some of the older BBCodes may not have converted properly but still be in the post. Most posts are unaffected but some using what was our custom BBCode (like [spoiler]) will be a bit broken. ×
D. V. Devnull

Forum Theme Bug -- 'Deflection' Header Banner preventing Full HTTPS Status

Recommended Posts

Description:  When viewing the Tip.It Community Forums in Secure Mode (HTTPS) with the 'Deflection' Theme active, the "Tip.It Community" Blue Header Banner is being Force-Loaded in Non-Secure Mode (HTTP), which causes Browsers to not fully consider the Forums to be Secured.

 

Reproduction Rate:  100% -- This is ALWAYS REPRODUCIBLE!!!

 

Steps To Reproduce:

  1. Head to any page on 'forum.tip.it' with Secure Mode (HTTPS) requested.
    ("https://forum.tip.it" will do, in order to test this quickly.)
  2. Go to the Bottom of the Page.
  3. Click on "Change Theme"
  4. Select "Deflection" from the available list of choices.
  5. Address Bar will no longer fully register the 'Tip.It Forums' site as being in Secure Mode (HTTPS), all because of the blue "Tip.It Community" Header Banner being Force-Loaded in Non-Secure Mode (HTTP).

What should NOT happen:  Forums acting Non-Secure (HTTP) in the Address Bar when Secure Mode (HTTPS) is being requested by the visitor.

 

What SHOULD be happening:  Forums registering as being in Secure Mode (HTTPS) on the Address Bar when the visitor requests it.

 

Comments:  I did happen to pin down the offending chunk of generated page code on the "Deflection" Forum Theme.  Here's what it reads...

<img src='http://forum.tip.it/public/style_images/17_14_tipitcommunitylogo-deflection.png' alt='Logo' />

...so you can quickly fix this small-but-annoying bug.  Having this same issue on another site recently caused this one to come to my attention.  Well, that, and the fact that apparently Google has started cracking down on Non-Secure site accesses in their Chrome browser.  I unfortunately heard about that one third-hand, to which I ran a web search and tracked down proof at https://www.wearegecko.co.uk/blog/security-dangers-of-http/.  I might be on FireFox myself currently, and therefore the disruption in my view is smaller, but I would not want these forums to get avoided because of Google's active shaming of Non-HTTPS usage. :o

 

~Mr. D. V. "I'm a natural 'Bug Magnet'... At least I'm trying to do something positive with it..." Devnull

 

 

 

(P.S.: You might be wondering... "Why's this nut using such a full-format bug reporting style?" ...to which you can thank another, totally different website for that one.  It will probably take a while before this reporting style bleeds back out of my mind, if it ever does.)

 

(P.P.S.: By the way, why isn't there a "Bug Report" or "Forums" tag for selecting?  It really would have been useful here!)


tifuserbar-dsavi_x4.jpg and normally with a cool mind.

(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.)

Share this post


Link to post
Share on other sites

Huh, that's what was causing this

 

Admins please fix this so we can embed videos again

Share this post


Link to post
Share on other sites

Admins please fix this so we can embed videos again

We're having Video Embedding Problems, as well?  Ouch! :(

 

~D. V. "definitely would help to have that fixed too" Devnull


tifuserbar-dsavi_x4.jpg and normally with a cool mind.

(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.)

Share this post


Link to post
Share on other sites

Description:  When viewing the Tip.It Community Forums in Secure Mode (HTTPS) with the 'Deflection' Theme active, the "Tip.It Community" Blue Header Banner is being Force-Loaded in Non-Secure Mode (HTTP), which causes Browsers to not fully consider the Forums to be Secured.

This particular issue is fixed, but that is not the only thing causing browsers to think there is mixed content.

 

I also believe I've fixed media not being secure as well.

 

 

Well, that, and the fact that apparently Google has started cracking down on Non-Secure site accesses in their Chrome browser.  I unfortunately heard about that one third-hand, to which I ran a web search and tracked down proof at https://www.wearegecko.co.uk/blog/security-dangers-of-http/.  I might be on FireFox myself currently, and therefore the disruption in my view is smaller, but I would not want these forums to get avoided because of Google's active shaming of Non-HTTPS usage. 

It's true that Google is rating HTTPS sites higher than HTTP, that is why we switched entirely, but some mixed content on the site does not change the fact that the actual site content is requested and displayed over HTTPS, a couple of images here and there don't make the site insecure by default, it just means any data sent when requesting that particular resource is not encrypted.  You could have HTTP images all over the login form but as long as the form posts to a HTTPS endpoint it doesn't compromise anything.

 

 

What SHOULD be happening:  Forums registering as being in Secure Mode (HTTPS) on the Address Bar when the visitor requests it.

This will basically never happen due to the nature of forums.  You might get the odd page where you get lucky and the bar is green because every resource is requested over HTTPS, but these will likely be the minority.  This is due to the fact we display content provided by users, and we don't host all of it.  Case in point: no page that you post on can ever have the forum marked secure because your signature contains an image requested over HTTP.

Share this post


Link to post
Share on other sites

What SHOULD be happening:  Forums registering as being in Secure Mode (HTTPS) on the Address Bar when the visitor requests it.

This will basically never happen due to the nature of forums.  You might get the odd page where you get lucky and the bar is green because every resource is requested over HTTPS, but these will likely be the minority.  This is due to the fact we display content provided by users, and we don't host all of it.  Case in point: no page that you post on can ever have the forum marked secure because your signature contains an image requested over HTTP.

Eh... I'll go fix that...  Freaking thing's out-of-date, but I can at least patch that little issue. :oops:

 

I do wonder, though... Is there any way to initially force a request to go https before http anyway, for things such as images referenced in posts, or is that entirely on the user to deal with? :huh:

 

~D. V. "I knew I was missing something, but didn't realize what..." Devnull

 



 

UPDATE:  Just discovered PhotoBucket is actively refusing to operate in HTTPS Mode.  I'm unable to fix my Signature at this time.  I guess they'll have to get shamed by Google a lot in order to force them to change their ways. <_<

 

~Mr. D. V. "Bloody hell, I can't fix this myself!!!" Devnull

Edited by D. V. Devnull

tifuserbar-dsavi_x4.jpg and normally with a cool mind.

(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.