ballp.it

Snakes In The Ball Pit => Announcements => Topic started by: Lemon on September 06, 2016, 11:09:46 am

Title: [REQUEST] Test the https connection
Post by: Lemon on September 06, 2016, 11:09:46 am
Hi!

Okay, so we just finally got https running on ballp.it (your move, PornHub) and I'd like to turn it on for everybody by default, but I need to make sure I wouldn't break anything in the process.

The home page and login page are serving up fine (the biggest hurdle) -   a lot of the threads aren't going to show a green lock because a lot of threads load in images from other websites, and that's just the reality of the situation and that's fine. I'd like the green lock where possible, but I just want to make sure it doesn't actually break anywhere.

So, what I'd like a couple people to do if you've got a couple minutes: Change the URL to https://ballp.it and browse around. If you end up at http at any point, change that url to https:// and see if it still works.

If everything's hunky dory, I'll convert all existing http connections to https and we'll be feeling all super secure with our lives.
Title: [REQUEST] Test the https connection
Post by: Zekka on September 06, 2016, 11:15:17 am
Hi!

Okay, so we just finally got https running on ballp.it (your move, PornHub) and I'd like to turn it on for everybody by default, but I need to make sure I wouldn't break anything in the process.

The home page and login page are serving up fine (the biggest hurdle) -   a lot of the threads aren't going to show a green lock because a lot of threads load in images from other websites, and that's just the reality of the situation and that's fine. I'd like the green lock where possible, but I just want to make sure it doesn't actually break anywhere.

So, what I'd like a couple people to do if you've got a couple minutes: Change the URL to https://ballp.it and browse around. If you end up at http at any point, change that url to https:// and see if it still works.

If everything's hunky dory, I'll convert all existing http connections to https and we'll be feeling all super secure with our lives.
Lemon, September 06, 2016, 11:09:46 am

Firefox says that pages still contain insecure content (such as images) -- are you hardcoding HTTP for static resources?
Title: [REQUEST] Test the https connection
Post by: Lemon on September 06, 2016, 11:19:04 am
Firefox says that pages still contain insecure content (such as images) -- are you hardcoding HTTP for static resources?
Zekka, September 06, 2016, 11:15:17 am

I don't think so, hence the testing. Again, the "insecure content (such as images)" warning is an inevitability - there's all sorts of threads with pictures from different URLs, as are quite a few avatars.
Title: [REQUEST] Test the https connection
Post by: Zekka on September 06, 2016, 11:22:43 am
Firefox says that pages still contain insecure content (such as images) -- are you hardcoding HTTP for static resources?
Zekka, September 06, 2016, 11:15:17 am

I don't think so, hence the testing. Again, the "insecure content (such as images)" warning is an inevitability - there's all sorts of threads with pictures from different URLs, as are quite a few avatars.
Lemon, September 06, 2016, 11:19:04 am

Oh. Uh, I had assumed the lock only went yellow if the insecure resources were on the same server, but I think your version makes more sense.
Title: [REQUEST] Test the https connection
Post by: Lemon on September 06, 2016, 11:29:05 am
Oh. Uh, I had assumed the lock only went yellow if the insecure resources were on the same server, but I think your version makes more sense.
Zekka, September 06, 2016, 11:22:43 am

Both Chrome and Mozilla have changed their strategy for this a number of times this year. It used to be that if you had an https site which loaded something via http, you got this big red alert box that was like "HOLY SHIT THIS IS TOTALLY INSECURE", which made people like myself very to want to fuck with anything.

Now, if you have "mixed content", the icon is a piece of paper, the same thing you get if you go to a regular http site, which is much more reasonable.
Title: [REQUEST] Test the https connection
Post by: EYE OF ZA on September 06, 2016, 11:40:17 am
Android Chrome here, works fine.  Secure icon shows up unless I visit a thread with external images.
Title: [REQUEST] Test the https connection
Post by: Yavuz on September 06, 2016, 12:17:05 pm
It seems to work fine on Chrome for Mac, although the bulb image appears to be loading through the http version of ballp.it.

ETA: I'm not sure that it is the bulbs. Here's the message from Chrome's inspector: "Mixed Content: The page at 'https://ballp.it/index.php?topic=2325.0' was loaded over HTTPS, but requested an insecure image 'http://ballp.it/index.php?%61ction=bulb;msg=62265;topic=1984'. This content should also be served over HTTPS."
Title: [REQUEST] Test the https connection
Post by: Lemon on September 06, 2016, 12:23:29 pm
You mean the bulb icon? That shouldn't be true. The bulb is inline svg, so it's pulling from another part on the page. The inline svg does have
xmlns="http://www.w3.org/2000/svg"
in the defintion, but unfortunately that's just the way it needs to be written.

Although now that you mention it, I think I might just stick all the svg into one external file, which I had wanted to to a long time ago. It'll improve page load for everyone while also breaking on every single version of IE (including IE11). Which might be okay.
Title: [REQUEST] Test the https connection
Post by: Jack Sensation on September 06, 2016, 12:32:06 pm
(http://i.imgur.com/TLM3glz.png)

I'd seen everything there but the filled star wouldn't go away until I went to the non-HTTPS version of the site.

e: I puzzled it out, it's because I was the last poster there.
Title: [REQUEST] Test the https connection
Post by: Zekka on September 06, 2016, 01:41:26 pm
It seems to work fine on Chrome for Mac, although the bulb image appears to be loading through the http version of ballp.it.

ETA: I'm not sure that it is the bulbs. Here's the message from Chrome's inspector: "Mixed Content: The page at 'https://ballp.it/index.php?topic=2325.0' was loaded over HTTPS, but requested an insecure image 'http://ballp.it/index.php?%61ction=bulb;msg=62265;topic=1984'. This content should also be served over HTTPS."
Yavuz Sultan Selim, September 06, 2016, 12:17:05 pm

Oh, that's because I made my avatar a csrf attack as part of an earlier gimmick. It's not the real bulb icon.
Title: [REQUEST] Test the https connection
Post by: Lemon on September 08, 2016, 11:54:42 am
Testing seems to have gone well. All connections to ballp.it are now HTTPS.
Title: [REQUEST] Test the https connection
Post by: Ashto on September 10, 2016, 12:06:03 am
Is there any chance this change would have affected the .css files for the  forum profiles? I don't recall there being so many <hr> tags before.

Edit: or the <li> tags next icons on other's profiles. Coincidentally, can't seem to change the post attachment once it's gone up, but that's a separate issue.
Title: [REQUEST] Test the https connection
Post by: chai tea latte on September 10, 2016, 12:10:14 am
Pretty sure that's a new design. I like it a bunch.
Title: [REQUEST] Test the https connection
Post by: Lemon on September 10, 2016, 12:29:14 am
Yeah, unrelated to the HTTPS I tweaked the design of the user profile page.

Thanks chai