Bug Report Lost some functionality

Status
Not open for further replies.
M

Marka

Guest
FireFox 39.0 (up to date)
Win 7 Home Premium SP-1

For about the last two days (today included)...

a.) When I type the first letter of my username to log on; It doesn't offer a drop-down with my name and, it doesn't fill in the password anymore when I tab over to the P/W field...

b.) Everything in "Top Ten Stats" read loading but, wouldn't load... oddly enough, when I checked this in a new tab just now, I see that it did load only then...

I don't know... anyone else have this issue too?

Thanks,
-Marka
 

Technologic

Est. Contributor
Messages
160
Role
  1. Adult Baby
  2. Diaper Lover
No idea about A but the site is throwing CORS errors which is preventing B from showing.

Code:
XMLHttpRequest cannot load [url]https://www.adisc.org/forum/misc.php?show=latestblogs&vsacb_resnr=10[/url]. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.adisc.org' is therefore not allowed access.
XMLHttpRequest cannot load [url]https://www.adisc.org/forum/misc.php?show=mostviewedthreads&vsacb_resnr=10[/url]. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.adisc.org' is therefore not allowed access.
XMLHttpRequest cannot load [url]https://www.adisc.org/forum/misc.php?show=latestposts&vsacb_resnr=10[/url]. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.adisc.org' is therefore not allowed access.

Looks like it is a CORS error caused by Most Viewed, Lasest Blogs, and Latest Posts being pulled in via https when you loaded the page with http. If you connect to https://www.adisc.org they work.
 
Last edited:
M

Marka

Guest
No idea about A but the site is throwing CORS errors which is preventing B from showing.

Code:
XMLHttpRequest cannot load [url]https://www.adisc.org/forum/misc.php?show=latestblogs&vsacb_resnr=10[/url]. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.adisc.org' is therefore not allowed access.
XMLHttpRequest cannot load [url]https://www.adisc.org/forum/misc.php?show=mostviewedthreads&vsacb_resnr=10[/url]. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.adisc.org' is therefore not allowed access.
XMLHttpRequest cannot load [url]https://www.adisc.org/forum/misc.php?show=latestposts&vsacb_resnr=10[/url]. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.adisc.org' is therefore not allowed access.

Looks like it is a CORS error caused by Most Viewed, Lasest Blogs, and Latest Posts being pulled in via https when you loaded the page with http. If you connect to https://www.adisc.org they work.

Thank you... On 3rd day with the same problem still... As far as I know, I'm on all https for ADISC... I won't pretend to know what "CORS" is; I still have to open a new tab to get that part working after I've logged in manually, from the saved passwords interface in FF (c/p strong password) :dunno: -Marka
 

Technologic

Est. Contributor
Messages
160
Role
  1. Adult Baby
  2. Diaper Lover
Thank you... On 3rd day with the same problem still... As far as I know, I'm on all https for ADISC... I won't pretend to know what "CORS" is; I still have to open a new tab to get that part working after I've logged in manually, from the saved passwords interface in FF (c/p strong password) :dunno: -Marka

Basically,
CORS = Cross Origin Resource Sharing.

In this case it looks like (at least on my end) when you access the site via, http://www.adisc.org the web page is making a request to https://www.adisc.org

http://www.adisc.org and https://www.adisc.org are different origins and thus CORS comes into play. As a security feature browsers do not allow 1 origin to pull data from another unless it is explicitly told it is ok to do so. So my guess is the part of the code that says, "Its ok to access https data from the http site" is missing. So it throws errors saying it cannot load the resource.

If you connect to the site, then press "F12" on your keyboard, a developer tool window will open in your browser. On that tool there will be a tab called, "Console" if you click on that and look for the red error text, it will give Moo a better idea of what is happening, in case you are experiencing something different from me. It could also hold clues to why your login isn't working if you look at the console while on the login page.

This was probably more than you bargained for but it never hurts to try something new.

Here is what it looks like in Google Chrome, F12 opens the entire section at the bottom, the "Console" is where it will display any errors the web browser is throwing. The highlighted portion are the errors.
example.jpg

Bigger version since the attached one was scaled down so much.
http://s23.postimg.org/ttw485c0b/example.png
 
Last edited:
M

Marka

Guest
[...]

This was probably more than you bargained for but it never hurts to try something new.

[...]

It really was more than I bargained for... but that was great!

Your explanation is clear and succinct... I'll try the console option at the login point here shortly.

The image (larger one) that you provided does show the one issue that I am having too "Loading..."

So far, the work-around for me is to open https://www.adisc.org/forum/forum.php in a new tab after logging on...

Many thanks!
-Marka

Pre-login: [F12] "Console" "Security"
"This browser is AJAX compatible" vbulletin-core.js:11:10737
"Firing System Init" vbulletin-core.js:11:26208
Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.[Learn More] <unknown>
"Fire vB_XHTML_Ready" vbulletin-core.js:11:29535
"Fetch Cookie :: vbulletin_collapse (null)" vbulletin-core.js:11:17103
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.adisc.org/forum/misc.php?show=mostviewedthreads&vsacb_resnr=10. (Reason: CORS header 'Access-Control-Allow-Origin' missing). <unknown>
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.adisc.org/forum/misc.php?show=mostviewedthreads&vsacb_resnr=10. (Reason: CORS request failed). <unknown>
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.adisc.org/forum/misc.php?show=latestblogs&vsacb_resnr=10. (Reason: CORS header 'Access-Control-Allow-Origin' missing). <unknown>
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.adisc.org/forum/misc.php?show=latestblogs&vsacb_resnr=10. (Reason: CORS request failed). <unknown>
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.adisc.org/forum/misc.php?show=latestposts&vsacb_resnr=10. (Reason: CORS header 'Access-Control-Allow-Origin' missing). <unknown>
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.adisc.org/forum/misc.php?show=latestposts&vsacb_resnr=10. (Reason: CORS request failed). <unknown>

Post-login: [F12] "Console" "Security"

GET
http://www.adisc.org/forum/ [HTTP/1.1 200 OK 390ms]
GET
https://www.adisc.org/forum/css.php [HTTP/1.1 200 OK 188ms]
GET
https://www.adisc.org/forum/images/cms/widget-blog.png [HTTP/1.1 200 OK 250ms]
GET
https://www.adisc.org/forum/customavatars/avatar14120_7.gif [HTTP/1.1 200 OK 266ms]
GET
https://www.adisc.org/forum/images/misc/unknown.gif [HTTP/1.1 200 OK 250ms]
GET
https://www.adisc.org/forum/customavatars/avatar29180_1.gif [HTTP/1.1 200 OK 266ms]
GET
https://www.adisc.org/forum/images/statusicon/forum_new-48.png [HTTP/1.1 200 OK 266ms]
GET
https://www.adisc.org/forum/images/statusicon/subforum_new-48.png [HTTP/1.1 200 OK 266ms]
GET
https://www.adisc.org/forum/images/icons/icon10.png [HTTP/1.1 200 OK 312ms]
GET
https://www.adisc.org/forum/attachment.php [HTTP/1.1 200 OK 483ms]
GET
https://www.adisc.org/forum/attachment.php [HTTP/1.1 200 OK 483ms]
GET
https://www.adisc.org/forum/attachment.php [HTTP/1.1 200 OK 483ms]
GET
https://www.adisc.org/forum/attachment.php [HTTP/1.1 200 OK 483ms]
GET
https://www.adisc.org/forum/attachment.php [HTTP/1.1 200 OK 483ms]
"This browser is AJAX compatible" vbulletin-core.js:11:10737
GET
https://www.adisc.org/forum/images/misc/black_downward_arrow.png [HTTP/1.1 200 OK 78ms]
GET
https://www.adisc.org/forum/images/gradients/top-highlight.png [HTTP/1.1 200 OK 63ms]
GET
https://www.adisc.org/forum/images/misc/subscribed_40b.png [HTTP/1.1 200 OK 62ms]
"Firing System Init" vbulletin-core.js:11:26208
"Fire vB_XHTML_Ready" vbulletin-core.js:11:29535
"Fetch Cookie :: vbulletin_collapse (null)" vbulletin-core.js:11:17103
OPTIONS
XHR
https://www.adisc.org/forum/misc.php [HTTP/1.1 200 OK 452ms]
OPTIONS
XHR
https://www.adisc.org/forum/misc.php [HTTP/1.1 200 OK 1451ms]
OPTIONS
XHR
https://www.adisc.org/forum/misc.php [HTTP/1.1 200 OK 312ms]
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.adisc.org/forum/misc.php?show=latestblogs&vsacb_resnr=10. (Reason: CORS header 'Access-Control-Allow-Origin' missing). <unknown>
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.adisc.org/forum/misc.php?show=latestblogs&vsacb_resnr=10. (Reason: CORS request failed). <unknown>
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.adisc.org/forum/misc.php?show=latestposts&vsacb_resnr=10. (Reason: CORS header 'Access-Control-Allow-Origin' missing). <unknown>
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.adisc.org/forum/misc.php?show=latestposts&vsacb_resnr=10. (Reason: CORS request failed). <unknown>
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.adisc.org/forum/misc.php?show=mostviewedthreads&vsacb_resnr=10. (Reason: CORS header 'Access-Control-Allow-Origin' missing). <unknown>
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.adisc.org/forum/misc.php?show=mostviewedthreads&vsacb_resnr=10. (Reason: CORS request failed). <unknown>

I do have a number of CSS messages too... though I suspect that is fairly common and, not the issue...

-Marka
 
Last edited by a moderator:

Technologic

Est. Contributor
Messages
160
Role
  1. Adult Baby
  2. Diaper Lover
I downloaded firefox to give it a shot and it seems FireFox has more security checks in place than Chrome does.

Based off everything I am seeing in your console and when I tested it. It looks like you are loading the http version, at least before you login. If I go to, adisc.org it takes me to the standard http version, but every single link on the page will take you to the https version so once you start browsing the boards you will be on https then the those three boxes of new posts/blogs should load correctly.


Lets start off here,
Code:
Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.[Learn More] <unknown>

This is specific to FireFox. FireFox is looking at the "Form" that handles your login credentials and sees that upon submission, it is sending your password
to http://www.adisc.org/login.php?do=login instead of https because of this FireFox disables their built in auto form filling for password as they see it as a security issue. What firefox doesn't see is that before submitting your password to the non-secure, http, it is hashing your password in an md5Hash then sending that along. While this still isn't perfect it is better than passing your password as a plain text string.

So if your password was, "password", instead of sending "password" to the server it would send something similar to, "5f4dcc3b5aa765d61d8327deb882cf99" in its place. But I will stop myself from going into detail about this as it is an entire book.

But that is why your password is not auto filling. FireFox sees it as unsafe to do so, so it isn't filling it in.

The CSS (Custom Style Sheet) issues will generally be noticeable when things start looking wrong. CSS controls the look and feel of the website and not so much the functionality.


So far, the work-around for me is to open https://www.adisc.org/forum/forum.php in a new tab after logging on...

How do you navigate to that address in a new tab? If you are getting there by following a link on the page where you get the "Loading" issue then my guess is that somehow you are always loading up, http://www.adisc.org then logging in there (This would cause the no auto fill on password) Then once logged in you middle click a link or right click, open in new tab, to open the new tab. If that is how you do it, then it works because all of the links on the page all point to https. So you login on http then immediately get thrown to https. So the first page you land on will have the "Loading" problem but every time you click a link, you are on https, but you hit the "Back" button to go back to the "home" page and that puts you back on http where you experience the "Loading" issue still. But if you click on the "Adisc" logo at the top that will direct you to https and then you shouldn't have the "Loading" issue. Also if you navigate directly to https://www.adisc.org then try and login it should auto fill your password.

I think if Moo just redirects all http requests to https it would solve everything. However I am not really a web developer so there could be some other things that have to be taken into consideration.

Hopefully that explains whats happening and how to work around it until Moo gets a chance to fix the issues.
 
M

Marka

Guest
RESOLVED (On my side)

I downloaded firefox to give it a shot and it seems FireFox has more security checks in place than Chrome does.

Based off everything I am seeing in your console and when I tested it. It looks like you are loading the http version, at least before you login. If I go to, adisc.org it takes me to the standard http version, but every single link on the page will take you to the https version so once you start browsing the boards you will be on https then the those three boxes of new posts/blogs should load correctly.


Lets start off here,
Code:
Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.[Learn More] <unknown>

This is specific to FireFox. FireFox is looking at the "Form" that handles your login credentials and sees that upon submission, it is sending your password
to http://www.adisc.org/login.php?do=login instead of https because of this FireFox disables their built in auto form filling for password as they see it as a security issue. What firefox doesn't see is that before submitting your password to the non-secure, http, it is hashing your password in an md5Hash then sending that along. While this still isn't perfect it is better than passing your password as a plain text string.

So if your password was, "password", instead of sending "password" to the server it would send something similar to, "5f4dcc3b5aa765d61d8327deb882cf99" in its place. But I will stop myself from going into detail about this as it is an entire book.

But that is why your password is not auto filling. FireFox sees it as unsafe to do so, so it isn't filling it in.

The CSS (Custom Style Sheet) issues will generally be noticeable when things start looking wrong. CSS controls the look and feel of the website and not so much the functionality.




How do you navigate to that address in a new tab? If you are getting there [HIGHLIGHT]by following a link on the page where you get the "Loading" issue then my guess is that somehow you are always loading up, http://www.adisc.org then logging in there (This would cause the no auto fill on password) Then once logged in you middle click a link or right click, open in new tab, to open the new tab. If that is how you do it, then it works because all of the links on the page all point to https.[/HIGHLIGHT] So you login on http then immediately get thrown to https. So the first page you land on will have the "Loading" problem but every time you click a link, you are on https, but you hit the "Back" button to go back to the "home" page and that puts you back on http where you experience the "Loading" issue still. But if you click on the "Adisc" logo at the top that will direct you to https and then you shouldn't have the "Loading" issue. Also if you navigate directly to https://www.adisc.org then try and login it should auto fill your password.

I think if Moo just redirects all http requests to https it would solve everything. However I am not really a web developer so there could be some other things that have to be taken into consideration.

Hopefully that explains whats happening and how to work around it until Moo gets a chance to fix the issues.

Yes, once again... your explanation (not to mention trying out FF to get the effect and, I believe that FF is more secure)... succinct, and informative, all-in-one... Thank you!

IDK if something was changed, or broke... approximately 5-days ago... However, I checked and changed my "Bookmarks Toolbar" shortcut for ADISC, from http to https... Then, when that failed to resolve the auto-fill-in and "loading..."; I went to my p/w manager and changed the http to https as well... and now we have it!

Perfect!
Thank you again,
-Marka
 

Moo

ADISC Admin
Staff
Messages
5,770
Role
  1. Private
b.) Everything in "Top Ten Stats" read loading but, wouldn't load... oddly enough, when I checked this in a new tab just now, I see that it did load only then...

Does it load for you now on HTTP?
 
M

Marka

Guest
Does it load for you now on HTTP?

After changing my references to be all HTTPS, I haven't experienced any more issues... though I also no longer have any requirement to use any HTTP only targets. (Basically, I never updated my bookmark link or the reference in my p/w manager for quite a long time.)

Short Answer: I have not since tried via HTTP only so, IDK yet.

I do intend to try it since you've asked, when I do a fresh login next time...

As an extraordinarily insignificant aesthetic issue alone... Once I changed to pointing at https only... 'favicon', for my bookmark-toolbar (https://www.adisc.org/)no longer displays, though it still shows in the tabs as expected.

Thank you!
-Marka

------------Updated-------------
19:56 PDST 9/1/2015

Yes, starting the login under HTTP only, everything loaded appropriately. -Thank you!
-Marka
 
Last edited by a moderator:
Status
Not open for further replies.
Top