Forum Theme Bug -- 'Deflection' Header Banner preventing Full HTTPS Status

[D. V. Devnull]

Description:  When viewing the Tip.It Community Forums in Secure Mode (HTTPS) with the 'Deflection' Theme active, the "Tip.It Community" Blue Header Banner is being Force-Loaded in Non-Secure Mode (HTTP), which causes Browsers to not fully consider the Forums to be Secured.

 

Reproduction Rate:  100% -- This is ALWAYS REPRODUCIBLE!!!

 

Steps To Reproduce:

1. Head to any page on 'forum.tip.it' with Secure Mode (HTTPS) requested.
   ("https://forum.tip.it" will do, in order to test this quickly.)
2. Go to the Bottom of the Page.
3. Click on "Change Theme"
4. Select "Deflection" from the available list of choices.
5. Address Bar will no longer fully register the 'Tip.It Forums' site as being in Secure Mode (HTTPS), all because of the blue "Tip.It Community" Header Banner being Force-Loaded in Non-Secure Mode (HTTP).

What should NOT happen:  Forums acting Non-Secure (HTTP) in the Address Bar when Secure Mode (HTTPS) is being requested by the visitor.

 

What SHOULD be happening:  Forums registering as being in Secure Mode (HTTPS) on the Address Bar when the visitor requests it.

 

Comments:  I did happen to pin down the offending chunk of generated page code on the "Deflection" Forum Theme.  Here's what it reads...

<img src='http://forum.tip.it/public/style_images/17_14_tipitcommunitylogo-deflection.png' alt='Logo' />

...so you can quickly fix this small-but-annoying bug.  Having this same issue on another site recently caused this one to come to my attention.  Well, that, and the fact that apparently Google has started cracking down on Non-Secure site accesses in their Chrome browser.  I unfortunately heard about that one third-hand, to which I ran a web search and tracked down proof at https://www.wearegecko.co.uk/blog/security-dangers-of-http/.  I might be on FireFox myself currently, and therefore the disruption in my view is smaller, but I would not want these forums to get avoided because of Google's active shaming of Non-HTTPS usage. :o

 

~Mr. D. V. "I'm a natural 'Bug Magnet'... At least I'm trying to do something positive with it..." Devnull

 

 

 

(P.S.: You might be wondering... "Why's this nut using such a full-format bug reporting style?" ...to which you can thank another, totally different website for that one.  It will probably take a while before this reporting style bleeds back out of my mind, if it ever does.)

 

(P.P.S.: By the way, why isn't there a "Bug Report" or "Forums" tag for selecting?  It really would have been useful here!)

[Hedgehog]

Huh, that's what was causing this

 

Admins please fix this so we can embed videos again

[D. V. Devnull]

Admins please fix this so we can embed videos again

We're having Video Embedding Problems, as well?  Ouch! :(

 

~D. V. "definitely would help to have that fixed too" Devnull

[MageUK]

Description:  When viewing the Tip.It Community Forums in Secure Mode (HTTPS) with the 'Deflection' Theme active, the "Tip.It Community" Blue Header Banner is being Force-Loaded in Non-Secure Mode (HTTP), which causes Browsers to not fully consider the Forums to be Secured.

This particular issue is fixed, but that is not the only thing causing browsers to think there is mixed content.

 

I also believe I've fixed media not being secure as well.

 

 

Well, that, and the fact that apparently Google has started cracking down on Non-Secure site accesses in their Chrome browser.  I unfortunately heard about that one third-hand, to which I ran a web search and tracked down proof at https://www.wearegecko.co.uk/blog/security-dangers-of-http/.  I might be on FireFox myself currently, and therefore the disruption in my view is smaller, but I would not want these forums to get avoided because of Google's active shaming of Non-HTTPS usage. 

It's true that Google is rating HTTPS sites higher than HTTP, that is why we switched entirely, but some mixed content on the site does not change the fact that the actual site content is requested and displayed over HTTPS, a couple of images here and there don't make the site insecure by default, it just means any data sent when requesting that particular resource is not encrypted.  You could have HTTP images all over the login form but as long as the form posts to a HTTPS endpoint it doesn't compromise anything.

 

 

What SHOULD be happening:  Forums registering as being in Secure Mode (HTTPS) on the Address Bar when the visitor requests it.

This will basically never happen due to the nature of forums.  You might get the odd page where you get lucky and the bar is green because every resource is requested over HTTPS, but these will likely be the minority.  This is due to the fact we display content provided by users, and we don't host all of it.  Case in point: no page that you post on can ever have the forum marked secure because your signature contains an image requested over HTTP.

[D. V. Devnull]

What SHOULD be happening:  Forums registering as being in Secure Mode (HTTPS) on the Address Bar when the visitor requests it.

This will basically never happen due to the nature of forums.  You might get the odd page where you get lucky and the bar is green because every resource is requested over HTTPS, but these will likely be the minority.  This is due to the fact we display content provided by users, and we don't host all of it.  Case in point: no page that you post on can ever have the forum marked secure because your signature contains an image requested over HTTP.

Eh... I'll go fix that...  Freaking thing's out-of-date, but I can at least patch that little issue. :oops:

 

I do wonder, though... Is there any way to initially force a request to go https before http anyway, for things such as images referenced in posts, or is that entirely on the user to deal with? :huh:

 

~D. V. "I knew I was missing something, but didn't realize what..." Devnull

 

---

---

 

UPDATE:  Just discovered PhotoBucket is actively refusing to operate in HTTPS Mode.  I'm unable to fix my Signature at this time.  I guess they'll have to get shamed by Google a lot in order to force them to change their ways. <_<

 

~Mr. D. V. "Bloody hell, I can't fix this myself!!!" Devnull

Edited June 2, 2017 by D. V. Devnull