Layout messed up in Firefox due to mixed content

Two Youks

New Member
Jun 18, 2013
124
Like the thread title says, the forum's layout is messed up in Firefox (61.0.1, Windows 10) due to mixed content restrictions. After going through the usual song and dance of clearing my cache, the problem remained. Looking at the source code, it seems that all of the CSS files are referenced with relative paths, and that the base HTML element has a URL of http://sonsofsamhorn.net rather than httpS://sonsofsamhorn.net. Dunno if that's the actual cause, but given what's happening on my end, and the message Firefox is giving me, it's at least a place to look.

What I'm currently seeing:

 

Two Youks

New Member
Jun 18, 2013
124
If I could fix it, I would. The problem is that while the site has what appears to be a valid SSL certificate, it's attempting to serve some files (looks to be mainly images and CSS files (which are what tells a browser how elements of a site should look)) through a different connection. Typically, normal HTTP is served on port 80, while HTTPS is served on port 443. Because those files are served through an unencrypted connection, modern Firefox is simply blocking them, resulting in the site essentially being broken. Older versions of the browser may not care, but that's not really a good workaround.

The fix is to ensure that all site files are served through the HTTPS connection. My guess is that making a slight change to the base element's URL might fix it, given what a quick scan of the source code showed me (as simple as right-clicking on a page and selecting "View Source") but I'm not sure how involved a process that would be. It could be as simple as tweaking a value in an admin panel, it could be as tedious as going into the code and changing it manually. It depends on the forum software itself.

In any event, it's something that should be fixed as browser vendors become more strict about security. Firefox is (among) the first browser(s) to block unencrypted content, but likely won't be the last.
 

Two Youks

New Member
Jun 18, 2013
124
Eh, they'll likely just say it's working as intended. Not allowing mixed content is a security feature. The proper fix is for whomever does the technical heavy lifting at SOSH to ensure that all site files are being served via the HTTPS connection.
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,893
Alexandria, VA
Eh, they'll likely just say it's working as intended. Not allowing mixed content is a security feature. The proper fix is for whomever does the technical heavy lifting at SOSH to ensure that all site files are being served via the HTTPS connection.
The problem is that you're hitting the main site via https in the first place; AFAIK we've never (sadly) been configured to support that. It's all http-only outside of login and admin parts of the site. If you switch the URL to http, the site should work fine.

The $100 question is how you're being redirected to https at all; in theory all the links we generate are http and I've never set up any HSTS or anything else that should cause the browser to try to move to https.
 

Two Youks

New Member
Jun 18, 2013
124
From what I can tell, Firefox automatically forces HTTPS. Even when attempting to reach the site by manually putting just http:// in the address bar, it changes it to https:// I haven't found any option to change it (at least, without digging into the browser's about:config).

In any event, it's kind of shocking that SOSH isn't using even something like a Let's Encrypt certificate to cover the whole site. I mean, without knowing your setup, it seems like it'd be easier to encrypt all traffic going to/from the proxy than specific areas of the site. And this issue not going to be limited to Firefox... Chrome is going to list sites like this as not secure starting tomorrow (https://www.searchenginejournal.com/reminder-chrome-browser-to-display-not-secure-warnings-for-http-sites-on-july-24/262595/amp/). If they follow Firefox's lead, it won't be too long before they start outright blocking anything not transmitted over HTTPS.

Ultimately, I really just wanted to give TPTB a heads up. While it's annoying, I can still browse the forum 'properly' with Edge.
 

MakeMineMoxie

Member
SoSH Member
Jul 15, 2005
722
The floor of Punter's Pub
From what I can tell, Firefox automatically forces HTTPS. Even when attempting to reach the site by manually putting just http:// in the address bar, it changes it to https:// I haven't found any option to change it (at least, without digging into the browser's about:config).
Same here in Vivaldi. IE works OK since it has http in the URL. Also just tried to go to MLB.com in Vivaldi & got "mlb.mlb.com does not support HTTPS requests"
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,893
Alexandria, VA
From what I can tell, Firefox automatically forces HTTPS. Even when attempting to reach the site by manually putting just http:// in the address bar, it changes it to https:// I haven't found any option to change it (at least, without digging into the browser's about:config).

In any event, it's kind of shocking that SOSH isn't using even something like a Let's Encrypt certificate to cover the whole site.
We have the cert. It's the board software that (at least in the version we're running) sucks about spitting out mixed-content stuff that prevents us from flipping on https by default (we've done some test runs with mixed results).

It's on the list to address, but Nip keeps threatening an update to a new version of XenForo so I've been punting until after that happens rather than duplicating work twice.

(Browsers absolutely should complain about mixed-content on https pages, but forcing to https when the user requests http seems like a dubious choice; I'd rather have them reject http outright than lie about what they're doing.)

FWIW I use Firefox (61.0.1 currently) regularly on SOSH and do not see this issue; it still respects http for me.
 
Last edited:

Two Youks

New Member
Jun 18, 2013
124
The site displays properly for me if I change security.mixed_content.block_active_content in about:config from true (default) to false.
 

SumnerH

Malt Liquor Picker
Dope
SoSH Member
Jul 18, 2005
31,893
Alexandria, VA
The site displays properly for me if I change security.mixed_content.block_active_content in about:config from true (default) to false.
Yuck. That's a super gross workaround that you shouldn't need.

We'll get it sorted eventually but like I said it's a bit of a holding pattern until we figure out when the next XenForo upgrade is happening.
 

Two Youks

New Member
Jun 18, 2013
124
Yuck. That's a super gross workaround that you shouldn't need.

We'll get it sorted eventually but like I said it's a bit of a holding pattern until we figure out when the next XenForo upgrade is happening.
Thanks for addressing the issue to the extent that you can at this point, and putting it on your todo list :)
 

bellowthecat

Member
SoSH Member
Jul 18, 2010
589
Massachusetts
Still experiencing this issue with Chrome. However, I discovered that the site will display properly if I access it with an incognito window.