Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Users Search
Help Dashboard Sign In Sign Up
Q&A Blog
Q&A
Posts Tags Edits
Ask Question

Welcome to Codidact Meta!

Codidact Meta is the meta-discussion site for the Codidact community network and the Codidact software. Whether you have bug reports or feature requests, support questions or rule discussions that touch the whole network – this is the site for you.

Comments on Collab question pages not fully encrypted

Post

Collab question pages not fully encrypted

+1
−0

The main page of Collab Codidact is encrypted fully and shows a padlock symbol in the URL bar (top of the page on desktop, bottom of the page on mobile) in Firefox:

Collab question list page

Desktop

Desktop Collab question list page with padlock

Mobile

Mobile Collab question list page with padlock

However, visiting a question from the question list changes this symbol to a padlock with an exclamation mark (on desktop) or a padlock with a red line through it (on mobile):

Collab individual question page

Desktop

Desktop Collab individual question page with broken padlock

Mobile

Mobile Collab individual question page with broken padlock

This seems to be the same for other questions on Collab Codidact, but doesn't seem to affect other Codidact communities, where the full encryption shows for both question list pages and individual question pages.

Is this a bug or is there a need for this different behaviour for Collab?

bug status-completed security collab
posted almost 2 years ago
2y ago by ArtOfCode‭
user card
trichoplax‭
221 74 714 297
History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.
Why should this post be closed?

1 comment thread

Can't repro (6 comments)
Can't repro
ArtOfCode‭ wrote almost 2 years ago
copy link

I can't reproduce this. If you click on the lock icon and into whatever details it'll give you, does it tell you what resource exactly is insecure?

trichoplax‭ wrote almost 2 years ago
copy link

The message in the padlock icon is vague, only mentioning images, not which ones. I've just had a look in the Network tab of the developer window and it looks like the only requests with a broken padlock symbol are returning a 301.

For example, there's a 301 response for "48.png" but then afterwards there's also a 200 response for "48.png". Both look like the same image from the same place, but with slightly different settings:

The 301 response shows Version: HTTP/1.1 while the 200 response shows Version: HTTP/2

The 301 response shows Content-Type: text/html even though it's a PNG image, while the 200 response shows Content-Type: image/png

The 301 response also shows a Location: https://collab.codidact.org/users/56889/avatar/48.png . Note that 56889 is not my user id, and this number is used regardless of whether I am logged in. Is this some kind of default user? The image is of an upper case T in white on a purple background.

trichoplax‭ wrote almost 2 years ago
copy link

The only other 301 responses only show when I'm logged in, and are images of size 60x60 and 400x400. The 60x60 is my avatar, and the 400x400 is plain white - not sure if it's a cropping of my avatar, which does have a plain white background?

There are 200 response instances of my avatar too, so it displays fine on the site. This isn't disrupting my use of the site in any way, I just thought I should let you know that Firefox is labelling some pages as "Connection Partially Encrypted" in case that is something you want to avoid.

ArtOfCode‭ wrote almost 2 years ago
copy link

trichoplax‭ thanks, that's helpful. I think this is all because I forgot to turn the CF proxy back on after the server work, which I've now done so this should resolve itself. (As for those URLs, it goes site.codidact.org/users/USER_ID/avatar/SIZE.png.)

Monica Cellio‭ wrote almost 2 years ago
copy link

trichoplax‭ if Art's changed fixed this, please let us know (a flag is good) and we'll mark it status-completed.

trichoplax‭ wrote almost 2 years ago
copy link

After some sleep I've had another look and the upper case T is just the avatar of the answerer, and the plain white image is the avatar of the question asker (just happens that their avatar is plain white - not a cropping of mine). The extra image when I'm logged in is my avatar for the top right.

Yesterday avatars were in 2 versions each - a broken padlock 301 response in the format you describe (collab.codidact.org/users/USER_ID/avatar/SIZE.png) and a 200 response in the format https://s3.amazonaws.com/storage.qpixel.artofcode.co.uk/HASH.

Today they are in 2 versions each but with no broken padlocks - a 301 response in the format https://collab.codidact.org/uploads/HASH and the same 200 response as yesterday. I'm guessing this is a result of historically keeping images on collab.codidact.org and now having them with identical hash as a filename but on AWS instead.

I can confirm that the broken padlock no longer shows on either desktop or mobile. Thanks for the fix!