Dismiss Notice
Guest, I have a big favor to ask you. We've been working very hard to establish ourselves on social media. If you like/follow our pages it would be a HUGE help to us. SoSH on Facebook and Inside the Pylon Thanks! Nip

Layout messed up in Firefox due to mixed content

Discussion in 'SoSH Support & FAQ' started by Nightslyr, Jul 21, 2018.

  1. Nightslyr

    Nightslyr lurker

    Messages:
    66
    Like the thread title says, the forum's layout is messed up in Firefox (61.0.1, Windows 10) due to mixed content restrictions. After going through the usual song and dance of clearing my cache, the problem remained. Looking at the source code, it seems that all of the CSS files are referenced with relative paths, and that the base HTML element has a URL of http://sonsofsamhorn.net rather than httpS://sonsofsamhorn.net. Dunno if that's the actual cause, but given what's happening on my end, and the message Firefox is giving me, it's at least a place to look.

    What I'm currently seeing:

    [​IMG]
     
  2. MakeMineMoxie

    MakeMineMoxie Member SoSH Member

    Messages:
    564
    Same thing is happening to me, running Vivaldi 1.15.1147.55.
     
  3. bellowthecat

    bellowthecat Member SoSH Member

    Messages:
    221
    Same thing with me using Chrome v67.0.3396.99 on Windows 7 (yes 7). Looks fine on my phone which uses the Chrome browser app v67.0.3396.87.
     
  4. fletcherpost

    fletcherpost sosh's feckin' poet laureate Lifetime Member SoSH Member

    Messages:
    8,665
    I'm getting the same thing, on my other laptop, (i use firefox) this older thing (using firefox) - nae bother.
     
  5. MakeMineMoxie

    MakeMineMoxie Member SoSH Member

    Messages:
    564
    So, do we need to do something with our browsers, wait for a browser upgrade, or is Nightslyr going to save us by fixing the code?
     
  6. Nightslyr

    Nightslyr lurker

    Messages:
    66
    If I could fix it, I would. The problem is that while the site has what appears to be a valid SSL certificate, it's attempting to serve some files (looks to be mainly images and CSS files (which are what tells a browser how elements of a site should look)) through a different connection. Typically, normal HTTP is served on port 80, while HTTPS is served on port 443. Because those files are served through an unencrypted connection, modern Firefox is simply blocking them, resulting in the site essentially being broken. Older versions of the browser may not care, but that's not really a good workaround.

    The fix is to ensure that all site files are served through the HTTPS connection. My guess is that making a slight change to the base element's URL might fix it, given what a quick scan of the source code showed me (as simple as right-clicking on a page and selecting "View Source") but I'm not sure how involved a process that would be. It could be as simple as tweaking a value in an admin panel, it could be as tedious as going into the code and changing it manually. It depends on the forum software itself.

    In any event, it's something that should be fixed as browser vendors become more strict about security. Firefox is (among) the first browser(s) to block unencrypted content, but likely won't be the last.
     
  7. MakeMineMoxie

    MakeMineMoxie Member SoSH Member

    Messages:
    564
    Thanks for the explanation. I'll see if I can report it to Vivaldi.
     
  8. Nightslyr

    Nightslyr lurker

    Messages:
    66
    Eh, they'll likely just say it's working as intended. Not allowing mixed content is a security feature. The proper fix is for whomever does the technical heavy lifting at SOSH to ensure that all site files are being served via the HTTPS connection.
     
  9. SumnerH

    SumnerH Malt Liquor Picker Dope

    Messages:
    25,508
    The problem is that you're hitting the main site via https in the first place; AFAIK we've never (sadly) been configured to support that. It's all http-only outside of login and admin parts of the site. If you switch the URL to http, the site should work fine.

    The $100 question is how you're being redirected to https at all; in theory all the links we generate are http and I've never set up any HSTS or anything else that should cause the browser to try to move to https.
     
  10. Nightslyr

    Nightslyr lurker

    Messages:
    66
    From what I can tell, Firefox automatically forces HTTPS. Even when attempting to reach the site by manually putting just http:// in the address bar, it changes it to https:// I haven't found any option to change it (at least, without digging into the browser's about:config).

    In any event, it's kind of shocking that SOSH isn't using even something like a Let's Encrypt certificate to cover the whole site. I mean, without knowing your setup, it seems like it'd be easier to encrypt all traffic going to/from the proxy than specific areas of the site. And this issue not going to be limited to Firefox... Chrome is going to list sites like this as not secure starting tomorrow (https://www.searchenginejournal.com...arnings-for-http-sites-on-july-24/262595/amp/). If they follow Firefox's lead, it won't be too long before they start outright blocking anything not transmitted over HTTPS.

    Ultimately, I really just wanted to give TPTB a heads up. While it's annoying, I can still browse the forum 'properly' with Edge.
     
  11. MakeMineMoxie

    MakeMineMoxie Member SoSH Member

    Messages:
    564
    Same here in Vivaldi. IE works OK since it has http in the URL. Also just tried to go to MLB.com in Vivaldi & got "mlb.mlb.com does not support HTTPS requests"
     
  12. SumnerH

    SumnerH Malt Liquor Picker Dope

    Messages:
    25,508
    We have the cert. It's the board software that (at least in the version we're running) sucks about spitting out mixed-content stuff that prevents us from flipping on https by default (we've done some test runs with mixed results).

    It's on the list to address, but Nip keeps threatening an update to a new version of XenForo so I've been punting until after that happens rather than duplicating work twice.

    (Browsers absolutely should complain about mixed-content on https pages, but forcing to https when the user requests http seems like a dubious choice; I'd rather have them reject http outright than lie about what they're doing.)

    FWIW I use Firefox (61.0.1 currently) regularly on SOSH and do not see this issue; it still respects http for me.
     
    #12 SumnerH, Jul 23, 2018
    Last edited: Jul 23, 2018
  13. Nightslyr

    Nightslyr lurker

    Messages:
    66
    The site displays properly for me if I change security.mixed_content.block_active_content in about:config from true (default) to false.
     
  14. SumnerH

    SumnerH Malt Liquor Picker Dope

    Messages:
    25,508
    Yuck. That's a super gross workaround that you shouldn't need.

    We'll get it sorted eventually but like I said it's a bit of a holding pattern until we figure out when the next XenForo upgrade is happening.
     
  15. The Napkin

    The Napkin wise ass al kaprielian Dope SoSH Member

    Messages:
    19,876
    Really? Why not?
     
  16. Nightslyr

    Nightslyr lurker

    Messages:
    66
    Thanks for addressing the issue to the extent that you can at this point, and putting it on your todo list :)
     
  17. Pearl Wilson

    Pearl Wilson Member SoSH Member

    Messages:
    7,003
    Brother can you spare an update for a PC FireFox user? TIA. Using I.E. for now.
     
  18. bellowthecat

    bellowthecat Member SoSH Member

    Messages:
    221
    Still experiencing this issue with Chrome. However, I discovered that the site will display properly if I access it with an incognito window.
     
  19. MakeMineMoxie

    MakeMineMoxie Member SoSH Member

    Messages:
    564
    I found that if I disabled the DuckDuckGo Privacy Essentials extension, the site now works fine in Vivaldi.
     

Share This Page