Subtle changes, bugs and feedback

Posted on
Page
of 312
  • The thread I just started (https://www.lfgss.com/conversations/309563/) shows up twice for me on my 'Following' page--any idea why? (I think I may have had this once before.)

  • Is there some way of updating the T&C's on the forum to copyright and prevent our comments being reproduced without our permission in the press?

    guessing no. but curious.

  • Pretty sure as a public forum the press have fairnuse rights to reproduce what's written on here

  • @Velocio I'm getting error messages when I try and post using Chrome with the PIA add-on enabled

    It comes up with

    Forbidden (403)
    CSRF verification failed. Request aborted.
    You are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties.
    If you have configured your browser to disable 'Referer' headers, please re-enable them, at least for this site, or for HTTPS connections, or for 'same-origin' requests.

  • PIA is lying. No referer header is required. Not sure why they think it is.

    I shall do a test tomorrow morning on my other computer (the one with PIA on... this one is a media PC and isn't VPN'd).

  • Cheers. Connecting to PIA for the system works fine for posting, it just appears to be the Chrome add-in that causes the problem (same error on Win10 and Chromebook so OS doesn't seem to be an issue).

  • OK. Found it.

    So Django (a web framework that is used to power the front-end of Microcosm sites including LFGSS) does use the Referer header as part of the information that is hashed into the CSRF token.

    CSRF = Cross Site Request Forgery. Forms on HTML pages need to use such a token to ensure that other people cannot trick you into submitting forms as you.

    If anyone remembers on vBulletin when Ed Scoble put an image in a post whose image URL was the "Mark Forum Read" link... you'll know what CSRF tokens do. They prevent that.

    They work like this:

    • Visit a page with a form on, and the server generates a unique token
    • Submit a form, and the form contains the token generated earlier
    • When the server receives the form the token is checked to make sure it matches the one originally generated

    None of that requires the Referer header. But... Django clearly generates the unique token using that piece of information.

    Which means if the referer header is stripped, then Django can never validate the CSRF token and the server doesn't believe that you are the person submitting the form.

    Now... the PIA extension... it is being too aggressive.

    The sane and best way to approach Referer headers is to strip it when the domain is different. i.e. do not tell other sites which page you were visiting earlier.

    But what PIA is doing in their Chrome extension is stripping the Referer header even when you are on the same domain. This will break all manner of things: CSRF tokens, images on sites that have scrape protection, etc.

    This is a bug in their extension, not on LFGSS.

    You can disable this feature, but their documentation reads like you need to disable it every time:

    • "Extension Settings" > "Tracking" > uncheck "Disable website referrer"

    This will make LFGSS work again.

    A better thing to do is to not use the browser extension and to use the system application for PIA instead. But perhaps you do not have the ability to install that.

    I'll register a bug with the PIA extension and hope that they fix it.

  • Bug report submitted via the Chrome Extension feedback and their support help desk.

  • Cheers for the detailed explanation. It's only an issue on my Chromebook where the extension is the easiest option. I guess this could be the impetus to set up a VPN properly on there.

  • How did the topic make it to the main index?


    1 Attachment

    • Screen Shot 2017-09-18 at 21.20.51.png
  • Firefox 55.0.3 (64-bit) on Windows 10 has trouble jumping to the latest read post in threads, I think due to pictures. It loads up to the most recently read post and then when the images load, the content moves a good amount out of the way (down). I think it's the pictures, because in threads without them, it jumps to the most recently read post without any issues it seems.

  • I think it's the pictures

    Yes: if I remember correctly, it's because the page loads at the correct place before the pictures are taken into account.

    So when the photos load, they push everything down.

  • it's because the page loads at the correct place before the pictures are taken into account.

    Never had this issue with Chrome though. Firefox's fault?

  • Sorry, I don't remember.

  • Is there a way to choose whether or not a youtube link is embedded?
    Do I just need to learn to forum?
    For instance, I tried pastin a start from x time link and no matter what I did it just embedded the vid from the start.

    A choice would be nice is what Im saying.

  • I think you can escape things like that to stop the forum auto-handling it in a certain way. Perhaps by preceding it with a fwd slash?

  • I tried pastin a start from x time link and no matter what I did it just embedded the vid from the start

    The link above the embed still contains all the parameters, including the start time if you have selected one. I expect there's a good reason for stripping that part of the query string from the embed. You can cheat by putting the time before the video ID, then you just get a link which goes to the start time you want.
    https://www.youtube.com/watch?t=2m23s&v=hvgtqYXy5lU
    is a link but the following with the video ID before the start time embeds and starts at the beginning:
    https://www.youtube.com/watch?v=hvgtqYXy5lU&t=2m23s

  • you can escape things like that to stop the forum auto-handling it

    If you escape it enough to prevent embedding, you also escape it enough to stop it being a working link, e.g. https://www.youtube.com/watch?v=hvgtqYXy5lU

    https\://www.youtube.com/watch?v=hvgtqYXy5lU
    
  • How do you remove someone from a shared PM? Accidentally added the wrong person, can't figure out how to remove.

    iPhone - Safari


    1 Attachment

    • image.jpeg
  • @mdcc_tester
    Fingers crossed
    https://www.youtube.com/watch?t=1m20s&v=bD7ZnJdi2rY

    The code I was being referred to was input only in seconds.

    Edit; 1 million internet points for tester!

  • You can't remove someone else from a shared PM... but perhaps you should be able to if they have been added within the last minute.

    The reasoning being that this is effectively their content once invited, and who are you to delete their access to content.

    But I've made that mistake before as well, and it is annoying and should be undoable.

    In the meantime, you can let me know who to remove and I'll remove them

  • @Velocio, would it be possible to add in a previous username into a current users page. Since no one makes an announcement when they decide to change their username, it would be good to see previous usernames on their profile page so you can double check they are who you think they are!

  • Like an audit trail of who was who, and when?

    Possible yes. Would need to add a database table and keep track of such things, but not too hard.

  • wouldn't even need to have the "and when" more a trail of who they were username wise? So in the case of dooks it would be "dooks" "apone" "fatberg", the only reason I know he's changed username, is because his avatar is the same and I know him in real life, so can ask him. Otherwise I'd not have the foggiest..

  • You can see their history of comments and conversations via their profile, for clues. But I agree, it is confusing.

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview
About

Subtle changes, bugs and feedback

Posted by Avatar for Velocio @Velocio

Actions