-
• #6477
Is there some way of updating the T&C's on the forum to copyright and prevent our comments being reproduced without our permission in the press?
guessing no. but curious.
-
• #6478
Pretty sure as a public forum the press have fairnuse rights to reproduce what's written on here
-
• #6479
@Velocio I'm getting error messages when I try and post using Chrome with the PIA add-on enabled
It comes up with
Forbidden (403)
CSRF verification failed. Request aborted.
You are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties.
If you have configured your browser to disable 'Referer' headers, please re-enable them, at least for this site, or for HTTPS connections, or for 'same-origin' requests. -
• #6480
PIA is lying. No referer header is required. Not sure why they think it is.
I shall do a test tomorrow morning on my other computer (the one with PIA on... this one is a media PC and isn't VPN'd).
-
• #6481
Cheers. Connecting to PIA for the system works fine for posting, it just appears to be the Chrome add-in that causes the problem (same error on Win10 and Chromebook so OS doesn't seem to be an issue).
-
• #6482
OK. Found it.
So Django (a web framework that is used to power the front-end of Microcosm sites including LFGSS) does use the Referer header as part of the information that is hashed into the CSRF token.
CSRF = Cross Site Request Forgery. Forms on HTML pages need to use such a token to ensure that other people cannot trick you into submitting forms as you.
If anyone remembers on vBulletin when Ed Scoble put an image in a post whose image URL was the "Mark Forum Read" link... you'll know what CSRF tokens do. They prevent that.
They work like this:
- Visit a page with a form on, and the server generates a unique token
- Submit a form, and the form contains the token generated earlier
- When the server receives the form the token is checked to make sure it matches the one originally generated
None of that requires the Referer header. But... Django clearly generates the unique token using that piece of information.
Which means if the referer header is stripped, then Django can never validate the CSRF token and the server doesn't believe that you are the person submitting the form.
Now... the PIA extension... it is being too aggressive.
The sane and best way to approach Referer headers is to strip it when the domain is different. i.e. do not tell other sites which page you were visiting earlier.
But what PIA is doing in their Chrome extension is stripping the Referer header even when you are on the same domain. This will break all manner of things: CSRF tokens, images on sites that have scrape protection, etc.
This is a bug in their extension, not on LFGSS.
You can disable this feature, but their documentation reads like you need to disable it every time:
- "Extension Settings" > "Tracking" > uncheck "Disable website referrer"
This will make LFGSS work again.
A better thing to do is to not use the browser extension and to use the system application for PIA instead. But perhaps you do not have the ability to install that.
I'll register a bug with the PIA extension and hope that they fix it.
- Visit a page with a form on, and the server generates a unique token
-
• #6483
Bug report submitted via the Chrome Extension feedback and their support help desk.
-
• #6484
Cheers for the detailed explanation. It's only an issue on my Chromebook where the extension is the easiest option. I guess this could be the impetus to set up a VPN properly on there.
-
• #6485
How did the topic make it to the main index?
1 Attachment
-
• #6486
Firefox 55.0.3 (64-bit) on Windows 10 has trouble jumping to the latest read post in threads, I think due to pictures. It loads up to the most recently read post and then when the images load, the content moves a good amount out of the way (down). I think it's the pictures, because in threads without them, it jumps to the most recently read post without any issues it seems.
-
• #6487
I think it's the pictures
Yes: if I remember correctly, it's because the page loads at the correct place before the pictures are taken into account.
So when the photos load, they push everything down.
-
• #6488
it's because the page loads at the correct place before the pictures are taken into account.
Never had this issue with Chrome though. Firefox's fault?
-
• #6489
Sorry, I don't remember.
-
• #6490
Is there a way to choose whether or not a youtube link is embedded?
Do I just need to learn to forum?
For instance, I tried pastin a start from x time link and no matter what I did it just embedded the vid from the start.A choice would be nice is what Im saying.
-
• #6491
I think you can escape things like that to stop the forum auto-handling it in a certain way. Perhaps by preceding it with a fwd slash?
-
• #6492
I tried pastin a start from x time link and no matter what I did it just embedded the vid from the start
The link above the embed still contains all the parameters, including the start time if you have selected one. I expect there's a good reason for stripping that part of the query string from the embed. You can cheat by putting the time before the video ID, then you just get a link which goes to the start time you want.
https://www.youtube.com/watch?t=2m23s&v=hvgtqYXy5lU
is a link but the following with the video ID before the start time embeds and starts at the beginning:
https://www.youtube.com/watch?v=hvgtqYXy5lU&t=2m23s
-
• #6493
you can escape things like that to stop the forum auto-handling it
If you escape it enough to prevent embedding, you also escape it enough to stop it being a working link, e.g. https://www.youtube.com/watch?v=hvgtqYXy5lU
https\://www.youtube.com/watch?v=hvgtqYXy5lU
-
• #6494
How do you remove someone from a shared PM? Accidentally added the wrong person, can't figure out how to remove.
iPhone - Safari
1 Attachment
-
• #6495
@mdcc_tester
Fingers crossed
https://www.youtube.com/watch?t=1m20s&v=bD7ZnJdi2rY
The code I was being referred to was input only in seconds.
Edit; 1 million internet points for tester!
-
• #6496
You can't remove someone else from a shared PM... but perhaps you should be able to if they have been added within the last minute.
The reasoning being that this is effectively their content once invited, and who are you to delete their access to content.
But I've made that mistake before as well, and it is annoying and should be undoable.
In the meantime, you can let me know who to remove and I'll remove them
-
• #6498
Like an audit trail of who was who, and when?
Possible yes. Would need to add a database table and keep track of such things, but not too hard.
-
• #6499
wouldn't even need to have the "and when" more a trail of who they were username wise? So in the case of dooks it would be "dooks" "apone" "fatberg", the only reason I know he's changed username, is because his avatar is the same and I know him in real life, so can ask him. Otherwise I'd not have the foggiest..
-
• #6500
You can see their history of comments and conversations via their profile, for clues. But I agree, it is confusing.
The thread I just started (https://www.lfgss.com/conversations/309563/) shows up twice for me on my 'Following' page--any idea why? (I think I may have had this once before.)