| Index | Recent Threads | Unanswered Threads | Who's Active | Guidelines | Search |
 |
World Community Grid Forums
Category: Support
Forum: Website Support
Thread: Mixed content on threads with http signature images |
| No member browsing this thread |
|
Thread Status: Active Total posts in this thread: 6
|
|
| Author |
|
|
hchc
Veteran Cruncher USA Joined: Aug 15, 2006 Post Count: 865 Status: Offline Project Badges: 
|
As outlined in this post, many members here have really cool signature images that user @SNURK has created, but the embedded BBcode points to the http version of the image even though that web server supports https via the Let's Encrypt CA.
----------------------------------------What this means is that when viewing any WCG Forum thread where a signature loads that external image over http (even though the WCG forum loads over https), it creates a Mixed Content warning in the browser. A command or script can be run on the WCG forum database (with careful testing of course) against the User table that could re-write any reference to http://www.wcgsig.com/1234567.gif to https://www.wcgsig.com/1234567.gif and this would completely cure any Mixed Content warnings on any thread page accessed, which would improve the security of this forum. There's other signature images that may be transmitted over http, but this one change would fix a large majority.
|
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
Never ever see this with the HTTPS Everywhere addin to my browser. If your browser is Chrome based, then Chrome add'ins work on those too. https://www.eff.org/https-everywhere.
Works on Firefox, Android, Chrome(based), Opera. Dont care one iota about IE or Edge, which are going to be Chrome/Chromium based anyhow. |
||
|
|
hchc
Veteran Cruncher USA Joined: Aug 15, 2006 Post Count: 865 Status: Offline Project Badges:
|
I love that add-on and like EASE functionality, but ultimately it's a workaround and doesn't address the root cause. The owner of that web server (maybe SNURK?) needs to do a 301 redirect.
----------------------------------------That said, in the meantime, implementing the fix via a script on the WCG forum user table would address it on this end and wouldn't take much time, hence why I made the suggestion.
|
||
|
|
KerSamson
Master Cruncher Switzerland Joined: Jan 29, 2007 Post Count: 1684 Status: Offline Project Badges: 
|
I did never see such a kind of warning because of mixed content.
----------------------------------------I use https-everywhere on Firefox and Vivaldi. Yves |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
More fun to start on http and cookies come Chrome 80
https://www.theregister.co.uk/2020/01/30/google_chrome_80_cookies/ |
||
|
|
SNURK
Veteran Cruncher The Netherlands Joined: Nov 26, 2007 Post Count: 1217 Status: Offline Project Badges:
|
A command or script can be run on the WCG forum database (with careful testing of course) against the User table that could re-write any reference to http://www.wcgsig.com/1234567.gif to https://www.wcgsig.com/1234567.gif and this would completely cure any Mixed Content warnings on any thread page accessed, which would improve the security of this forum. BUMP! I think this is a good idea and the techs should definitely consider this. The only issue I see is the max signature size of 250 characters. Changing http to https could push signatures to 251 characters. But my guess is that this limit only exists in the interface and not in the database itself. Thanks for suggesting this hchc! |
||
|
|
|