Jump to content

Welcome to Rune Tips, the first ever RuneScape help site. We aim to offer skill guides, quest guides, maps, calculators, informative databases, tips, and much more to help you get the most from the Massive Online Adventure Game, RuneScape, by Jagex Ltd © 2009.

Report Ad

Welcome to Forum.Tip.It
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. If you already have an account, login here - otherwise create an account for free today!
Photo

Forum Theme Bug -- 'Deflection' Header Banner preventing Full HTTPS Status

Tip.It Community

  • Please log in to reply
4 replies to this topic

#1
D. V. Devnull
[ Display Name History ]

D. V. Devnull

    Dragon Slayer

  • Members
  • 5,162 posts
  • Gender:Male
  • Location:Slinking in shadow, finding site/forum bugs to kill...
  • Joined:1 July 2006
  • RuneScape Status:None

Description:  When viewing the Tip.It Community Forums in Secure Mode (HTTPS) with the 'Deflection' Theme active, the "Tip.It Community" Blue Header Banner is being Force-Loaded in Non-Secure Mode (HTTP), which causes Browsers to not fully consider the Forums to be Secured.

 

Reproduction Rate:  100% -- This is ALWAYS REPRODUCIBLE!!!

 

Steps To Reproduce:

  1. Head to any page on 'forum.tip.it' with Secure Mode (HTTPS) requested.
    ("https://forum.tip.it" will do, in order to test this quickly.)
  2. Go to the Bottom of the Page.
  3. Click on "Change Theme"
  4. Select "Deflection" from the available list of choices.
  5. Address Bar will no longer fully register the 'Tip.It Forums' site as being in Secure Mode (HTTPS), all because of the blue "Tip.It Community" Header Banner being Force-Loaded in Non-Secure Mode (HTTP).

What should NOT happen:  Forums acting Non-Secure (HTTP) in the Address Bar when Secure Mode (HTTPS) is being requested by the visitor.

 

What SHOULD be happening:  Forums registering as being in Secure Mode (HTTPS) on the Address Bar when the visitor requests it.

 

Comments:  I did happen to pin down the offending chunk of generated page code on the "Deflection" Forum Theme.  Here's what it reads...

<img src='http://forum.tip.it/public/style_images/17_14_tipitcommunitylogo-deflection.png' alt='Logo' />

...so you can quickly fix this small-but-annoying bug.  Having this same issue on another site recently caused this one to come to my attention.  Well, that, and the fact that apparently Google has started cracking down on Non-Secure site accesses in their Chrome browser.  I unfortunately heard about that one third-hand, to which I ran a web search and tracked down proof at https://www.wearegecko.co.uk/blog/security-dangers-of-http/.  I might be on FireFox myself currently, and therefore the disruption in my view is smaller, but I would not want these forums to get avoided because of Google's active shaming of Non-HTTPS usage. :o

 

~Mr. D. V. "I'm a natural 'Bug Magnet'... At least I'm trying to do something positive with it..." Devnull

 

 

 

(P.S.: You might be wondering... "Why's this nut using such a full-format bug reporting style?" ...to which you can thank another, totally different website for that one.  It will probably take a while before this reporting style bleeds back out of my mind, if it ever does.)

 

(P.P.S.: By the way, why isn't there a "Bug Report" or "Forums" tag for selecting?  It really would have been useful here!)


Posted Image and normally with a cool mind.
(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.)

#2
Hedgehog
[ Display Name History ]

Hedgehog

    ???

  • Monster Hunting Team Leader
  • 7,654 posts
  • Gender:Not Telling
  • Joined:18 November 2006
  • RuneScape Status:Retired

Huh, that's what was causing this

 

Admins please fix this so we can embed videos again



#3
D. V. Devnull
[ Display Name History ]

D. V. Devnull

    Dragon Slayer

  • Members
  • 5,162 posts
  • Gender:Male
  • Location:Slinking in shadow, finding site/forum bugs to kill...
  • Joined:1 July 2006
  • RuneScape Status:None

Admins please fix this so we can embed videos again

We're having Video Embedding Problems, as well?  Ouch! :(

 

~D. V. "definitely would help to have that fixed too" Devnull


Posted Image and normally with a cool mind.
(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.)

#4
MageUK
[ Display Name History ]

MageUK

    Behind You

  • Administrators
  • 2,371 posts
  • Gender:Male
  • Location:#runescape
  • Joined:21 May 2006
  • RuneScape Status:Retired
  • RSN:Pure_MageUK

Description:  When viewing the Tip.It Community Forums in Secure Mode (HTTPS) with the 'Deflection' Theme active, the "Tip.It Community" Blue Header Banner is being Force-Loaded in Non-Secure Mode (HTTP), which causes Browsers to not fully consider the Forums to be Secured.

This particular issue is fixed, but that is not the only thing causing browsers to think there is mixed content.

 

I also believe I've fixed media not being secure as well.

 

 

Well, that, and the fact that apparently Google has started cracking down on Non-Secure site accesses in their Chrome browser.  I unfortunately heard about that one third-hand, to which I ran a web search and tracked down proof at https://www.wearegecko.co.uk/blog/security-dangers-of-http/.  I might be on FireFox myself currently, and therefore the disruption in my view is smaller, but I would not want these forums to get avoided because of Google's active shaming of Non-HTTPS usage. 

It's true that Google is rating HTTPS sites higher than HTTP, that is why we switched entirely, but some mixed content on the site does not change the fact that the actual site content is requested and displayed over HTTPS, a couple of images here and there don't make the site insecure by default, it just means any data sent when requesting that particular resource is not encrypted.  You could have HTTP images all over the login form but as long as the form posts to a HTTPS endpoint it doesn't compromise anything.

 

 

What SHOULD be happening:  Forums registering as being in Secure Mode (HTTPS) on the Address Bar when the visitor requests it.

This will basically never happen due to the nature of forums.  You might get the odd page where you get lucky and the bar is green because every resource is requested over HTTPS, but these will likely be the minority.  This is due to the fact we display content provided by users, and we don't host all of it.  Case in point: no page that you post on can ever have the forum marked secure because your signature contains an image requested over HTTP.



#5
D. V. Devnull
[ Display Name History ]

D. V. Devnull

    Dragon Slayer

  • Members
  • 5,162 posts
  • Gender:Male
  • Location:Slinking in shadow, finding site/forum bugs to kill...
  • Joined:1 July 2006
  • RuneScape Status:None

What SHOULD be happening:  Forums registering as being in Secure Mode (HTTPS) on the Address Bar when the visitor requests it.

This will basically never happen due to the nature of forums.  You might get the odd page where you get lucky and the bar is green because every resource is requested over HTTPS, but these will likely be the minority.  This is due to the fact we display content provided by users, and we don't host all of it.  Case in point: no page that you post on can ever have the forum marked secure because your signature contains an image requested over HTTP.

Eh... I'll go fix that...  Freaking thing's out-of-date, but I can at least patch that little issue. :oops:

 

I do wonder, though... Is there any way to initially force a request to go https before http anyway, for things such as images referenced in posts, or is that entirely on the user to deal with? :huh:

 

~D. V. "I knew I was missing something, but didn't realize what..." Devnull

 

  

 

UPDATE:  Just discovered PhotoBucket is actively refusing to operate in HTTPS Mode.  I'm unable to fix my Signature at this time.  I guess they'll have to get shamed by Google a lot in order to force them to change their ways. <_<

 

~Mr. D. V. "Bloody hell, I can't fix this myself!!!" Devnull


Edited by D. V. Devnull, 02 June 2017 - 04:58 PM.

Posted Image and normally with a cool mind.
(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.)





Also tagged with one or more of these keywords: Tip.It, Community

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users