Hard Light Productions Forums
Site Management => Site Support / Feedback => Topic started by: jr2 on September 26, 2018, 10:12:52 pm
-
Warning shows in the right side of the URL bar in Chrome 69.0.3497.100
[attachment stolen by Russian hackers]
-
This could be related to our ongoing https issues. I've added it to our internal issue tracker.
-
Should be gone now. I've disabled the old Google AdSense stuff that caused it. Let me know if the warning still appears anywhere.
-
It's not a script but Firefox still warns about mixed content. It looks like avatars are loaded over HTTP.
-
Thanks, it's fixed now. You might still see mixed content warnings on some posts which embed images with http:// URLs, though.
-
Thanks, it's fixed now. You might still see mixed content warnings on some posts which embed images with http:// URLs, though.
Can that be fixed by setting a policy to always substitute https instead of http, and only fall back on http if https fails?
-
That's not something that browsers support and implementing that on the server would slow down the forum. We could however send a header to tell the browser not to send a referrer for images loaded over http. That way no important information would leak (without that change someone reading your internet traffic could potentially figure out which topics you read... which isn't a big deal anyway IMO).
Also, allowing stuff to fallback to http:// makes the whole effort pretty pointless since a hypothetical attacker could then just block port 443 and still read everything.
-
The Neith highlight image (hosted on hard-light.net) is loaded over HTTP.
Regarding upgrading HTTP requests, I could be wrong but isn't that what the HTTPS Everywhere extension does?
-
The highlight post contains the http:// URL which leads to the image being loaded over HTTP. I could fix this manually (by editing the post) but that leaves out all the other images with the same problem. IMO we need an automated solution for this. A list of image hosters which support HTTPS could then be used in the BBCode parser to automatically rewrite the URLs to https://. That still doesn't solve the issue for images on hosters who don't support HTTPS though I don't know how many of those are still out there...
-
There were several places in the BBCode parser in Subs.php which explicitly specified HTTP when they constructed a URL. I changed this to use the protocol-agnostic // in those cases. This fixes the problem which kept P3D files from being displayed, so maybe it will fix other things as well.
-
This fixes the problem which kept P3D files from being displayed, so maybe it will fix other things as well.
Hey, does that warrant a highlight? :lol: (no, seriously, does it? :nervous: )
-
No, but thanks. :D