D. V. Devnull Posted May 21, 2017 Share Posted May 21, 2017 Description: When viewing the Tip.It Community Forums in Secure Mode (HTTPS) with the 'Deflection' Theme active, the "Tip.It Community" Blue Header Banner is being Force-Loaded in Non-Secure Mode (HTTP), which causes Browsers to not fully consider the Forums to be Secured. Reproduction Rate: 100% -- This is ALWAYS REPRODUCIBLE!!! Steps To Reproduce:Head to any page on 'forum.tip.it' with Secure Mode (HTTPS) requested. ("https://forum.tip.it" will do, in order to test this quickly.) Go to the Bottom of the Page. Click on "Change Theme" Select "Deflection" from the available list of choices. Address Bar will no longer fully register the 'Tip.It Forums' site as being in Secure Mode (HTTPS), all because of the blue "Tip.It Community" Header Banner being Force-Loaded in Non-Secure Mode (HTTP).What should NOT happen: Forums acting Non-Secure (HTTP) in the Address Bar when Secure Mode (HTTPS) is being requested by the visitor. What SHOULD be happening: Forums registering as being in Secure Mode (HTTPS) on the Address Bar when the visitor requests it. Comments: I did happen to pin down the offending chunk of generated page code on the "Deflection" Forum Theme. Here's what it reads... <img src='http://forum.tip.it/public/style_images/17_14_tipitcommunitylogo-deflection.png' alt='Logo' /> ...so you can quickly fix this small-but-annoying bug. Having this same issue on another site recently caused this one to come to my attention. Well, that, and the fact that apparently Google has started cracking down on Non-Secure site accesses in their Chrome browser. I unfortunately heard about that one third-hand, to which I ran a web search and tracked down proof at https://www.wearegecko.co.uk/blog/security-dangers-of-http/. I might be on FireFox myself currently, and therefore the disruption in my view is smaller, but I would not want these forums to get avoided because of Google's active shaming of Non-HTTPS usage. :o ~Mr. D. V. "I'm a natural 'Bug Magnet'... At least I'm trying to do something positive with it..." Devnull (P.S.: You might be wondering... "Why's this nut using such a full-format bug reporting style?" ...to which you can thank another, totally different website for that one. It will probably take a while before this reporting style bleeds back out of my mind, if it ever does.) (P.P.S.: By the way, why isn't there a "Bug Report" or "Forums" tag for selecting? It really would have been useful here!) and normally with a cool mind.(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.) Link to comment Share on other sites More sharing options...
Hedgehog Posted May 21, 2017 Share Posted May 21, 2017 Huh, that's what was causing this Admins please fix this so we can embed videos again Link to comment Share on other sites More sharing options...
D. V. Devnull Posted May 25, 2017 Author Share Posted May 25, 2017 Admins please fix this so we can embed videos againWe're having Video Embedding Problems, as well? Ouch! :( ~D. V. "definitely would help to have that fixed too" Devnull and normally with a cool mind.(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.) Link to comment Share on other sites More sharing options...
MageUK Posted May 28, 2017 Share Posted May 28, 2017 Description: When viewing the Tip.It Community Forums in Secure Mode (HTTPS) with the 'Deflection' Theme active, the "Tip.It Community" Blue Header Banner is being Force-Loaded in Non-Secure Mode (HTTP), which causes Browsers to not fully consider the Forums to be Secured.This particular issue is fixed, but that is not the only thing causing browsers to think there is mixed content. I also believe I've fixed media not being secure as well. Well, that, and the fact that apparently Google has started cracking down on Non-Secure site accesses in their Chrome browser. I unfortunately heard about that one third-hand, to which I ran a web search and tracked down proof at https://www.wearegecko.co.uk/blog/security-dangers-of-http/. I might be on FireFox myself currently, and therefore the disruption in my view is smaller, but I would not want these forums to get avoided because of Google's active shaming of Non-HTTPS usage. It's true that Google is rating HTTPS sites higher than HTTP, that is why we switched entirely, but some mixed content on the site does not change the fact that the actual site content is requested and displayed over HTTPS, a couple of images here and there don't make the site insecure by default, it just means any data sent when requesting that particular resource is not encrypted. You could have HTTP images all over the login form but as long as the form posts to a HTTPS endpoint it doesn't compromise anything. What SHOULD be happening: Forums registering as being in Secure Mode (HTTPS) on the Address Bar when the visitor requests it.This will basically never happen due to the nature of forums. You might get the odd page where you get lucky and the bar is green because every resource is requested over HTTPS, but these will likely be the minority. This is due to the fact we display content provided by users, and we don't host all of it. Case in point: no page that you post on can ever have the forum marked secure because your signature contains an image requested over HTTP. Link to comment Share on other sites More sharing options...
D. V. Devnull Posted June 2, 2017 Author Share Posted June 2, 2017 (edited) What SHOULD be happening: Forums registering as being in Secure Mode (HTTPS) on the Address Bar when the visitor requests it.This will basically never happen due to the nature of forums. You might get the odd page where you get lucky and the bar is green because every resource is requested over HTTPS, but these will likely be the minority. This is due to the fact we display content provided by users, and we don't host all of it. Case in point: no page that you post on can ever have the forum marked secure because your signature contains an image requested over HTTP.Eh... I'll go fix that... Freaking thing's out-of-date, but I can at least patch that little issue. :oops: I do wonder, though... Is there any way to initially force a request to go https before http anyway, for things such as images referenced in posts, or is that entirely on the user to deal with? :huh: ~D. V. "I knew I was missing something, but didn't realize what..." Devnull UPDATE: Just discovered PhotoBucket is actively refusing to operate in HTTPS Mode. I'm unable to fix my Signature at this time. I guess they'll have to get shamed by Google a lot in order to force them to change their ways. <_< ~Mr. D. V. "Bloody hell, I can't fix this myself!!!" Devnull Edited June 2, 2017 by D. V. Devnull and normally with a cool mind.(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now