Last modified: 2011-11-22 21:15:55 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T33446, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 31446 - Mobile user survey banner includes non-HTTPS content on HTTPS page view
Mobile user survey banner includes non-HTTPS content on HTTPS page view
Status: RESOLVED FIXED
Product: Wikimedia
Classification: Unclassified
SSL related (Other open bugs)
unspecified
All All
: Highest major with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-06 23:43 UTC by Brion Vibber
Modified: 2011-11-22 21:15 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Brion Vibber 2011-10-06 23:43:18 UTC 
While loading https://www.mediawiki.org/wiki/Special:Code/MediaWiki/91123 I found that some sort of "mobile user survey" banner displayed in the sitenotice area, and a mixed-content warning popped up in my browser indicating something was loaded over unencrypted HTTP.

I popped open Firebug to check the network panel to find the culprit and reloaded to populate it, but the banner disappeared and hasn't reappeared so can't confirm it just yet.
Comment 1 Brion Vibber 2011-10-07 19:17:02 UTC 
The offending image seems to be http://bits.wikimedia.org/skins-1.17/common/images/closewindow.png

Here's the banner-loader output that triggers:


insertBanner({"bannerName":"2011MobileReaders","bannerHtml":"<style type=\"text\/css\">\n\n#centralNotice.collapsed #mobileSurvey2011 {\n  display: none;\n }\n\n#mobileSurvey2011 {\n  position: relative;\n  overflow: hidden;\n  margin-bottom: 0.5em !important;\n  background-color: #d7e4fa;\n  background-repeat: repeat-x;\n  border: solid 1px #a7d7f9; \n  display: none;\n}\n\n#mobileSurvey2011-content {\n  position:relative;\n  padding: 30px 80px;\n  text-align: center;\n}\n\n#mobileSurvey2011-logo {\n  position: absolute;\n  top: 20px;\n  left: 25px;\n  background-image: url(http:\/\/upload.wikimedia.org\/wikipedia\/commons\/thumb\/1\/12\/Wikimedia_logo_text_RGB.svg\/60px-Wikimedia_logo_text_RGB.svg.png);\n  height: 60px;\n  width: 60px;\n  background-repeat: no-repeat;\n}\n\n#mobileSurvey2011 #cn-toggle-box {\n  position: absolute;\n  z-index: 98;\n  top: 5px;\n  right: 5px;\n }\n<\/style>\n\n<div id=\"mobileSurvey2011\">\n  <div id=\"mobileSurvey2011-logo\"> <\/div>\n  <div id=\"mobileSurvey2011-content\">\n    <span style=\"font-size: 1.3em;\">Please take the <a class=\"variable_lp\" href=\"#\">2011 Wikipedia Mobile Readers Survey<\/a>.<\/span><br \/>\n    <span style=\"font-style: italic; font-size: 0.9em;\">Share your experiences and improve mobile Wikipedia.<\/span>\n  <\/div>\n  <div id=\"cn-toggle-box\">\n    <a href=\"#\" onclick=\"toggleNotice();$('#mobileSurvey2011').hide();return false;\"><img border=\"0\" src=\"http:\/\/bits.wikimedia.org\/skins-1.17\/common\/images\/closewindow.png\" alt=\"Close\" \/><\/a>\n  <\/div>\n\n<\/div>\n<script type=\"text\/javascript\">\n\/\/include throttle\nvar throttle = 5;\nvar throttleVal = Math.floor(Math.random() * throttle);\nif (throttleVal == 0 ) {\n  $('#mobileSurvey2011').show();\n  $('head').append('<link rel=\"stylesheet\" href=\"http:\/\/wikimediafoundation.org\/tracker\/bannerImpression.php?req=css&surveyView=1 \" type=\"text\/css\" \/>');\n  var url = 'http:\/\/wikimedia.limequery.org\/52291\/lang-'+wgUserLanguage;\n  $(\"#mobileSurvey2011 a.variable_lp\").attr(\"href\",url);\n\n}\n<\/script>","campaign":"Mobile Readers Survey","fundraising":"0","landingPages":""});
Comment 3 Brion Vibber 2011-10-07 19:29:48 UTC 
I added a note on [[meta:Help:CentralNotice]] recommending use of protocol-relative URLs for images.

https://meta.wikimedia.org/wiki/Help:CentralNotice#Images
Comment 4 Mark A. Hershberger 2011-10-07 21:33:37 UTC 
Now that you've posted the note, is there anything else to do?
Comment 5 Brion Vibber 2011-10-07 21:34:20 UTC 
Yeah that banner needs to be fixed!
Comment 6 DavidL 2011-10-13 15:48:37 UTC 
Internet Explorer 9 debugging tools reports the "HTTPS compromised security" error message for the following 2 files :
  http://bits.wikimedia.org/skins-1.17/common/images/closewindow.png
  http://wikimediafoundation.org/tracker/banner/Impression.php?req=css&surveyView=1

It need to be fixed by using protocol relative URLs, by removing the http prefix:
  //bits.wikimedia.org/skins-1.17/common/images/closewindow.png
  //wikimediafoundation.org/tracker/banner/Impression.php?req=css&surveyView=1
Comment 7 Brion Vibber 2011-10-13 16:16:00 UTC 
Assigning to Tomasz, he'll know who to poke. :)
Comment 8 Nimish Gautam 2011-10-13 16:42:51 UTC 
Appropriate changes made to banner
Comment 9 Tomasz Finc 2011-10-13 16:49:23 UTC 
(In reply to comment #8)
> Appropriate changes made to banner

Thanks for taking care of it so quick Nimish.
Comment 10 DavidL 2011-10-13 18:09:02 UTC 
I still cannot see changes. The http: prefix is still present in 2 templates used by the banner (6 occurrences) :


4 occurrences of http: in
https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=2011MobileReaders_anon

...
#mobileSurvey2011-logo {
  position: absolute;
  top: 20px;
  left: 25px;
                    /** vvvvv-HERE **/
  background-image: url(http://upload.wikimedia.org/wikipedia/commons/thumb/1/12/Wikimedia_logo_text_RGB.svg/60px-Wikimedia_logo_text_RGB.svg.png);

...
<div id="mobileSurvey2011">
  <div id="mobileSurvey2011-logo"> </div>
  <div id="mobileSurvey2011-content">
    <span style="font-size: 1.3em;">{{{please-take}}}</span><br />
    <span style="font-style: italic; font-size: 0.9em;">{{{share}}}</span>
  </div>
  <div id="cn-toggle-box">
<!--                                                                                                      vvvvv-HERE      -->
    <a href="#" onclick="toggleNotice();$('#mobileSurvey2011').hide();return false;"><img border="0" src="http://bits.wikimedia.org/skins-1.17/common/images/closewindow.png" alt="Close" /></a>

...
<script type="text/javascript">
//include throttle
var throttle = 5;
var throttleVal = Math.floor(Math.random() * throttle);
if (throttleVal == 0 ) {
  $('#mobileSurvey2011').show();
/*                                               vvvvv-HERE      */
  $('head').append('<link rel="stylesheet" href="http://wikimediafoundation.org/tracker/bannerImpression.php?req=css&surveyView=1 " type="text/css" />');
/*           vvvvv-HERE      */
  var url = 'http://wikimedia.limequery.org/52291/lang-'+wgUserLanguage;
...


2 occurrences of http: in
https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=2011MobileReaders
...
#mobileSurvey2011-logo {
  position: absolute;
  top: 20px;
  left: 25px;
/*                      vvvvv-HERE */
  background-image: url(http://upload.wikimedia.org/wikipedia/commons/thumb/1/12/Wikimedia_logo_text_RGB.svg/60px-Wikimedia_logo_text_RGB.svg.png);
  height: 60px;
  width: 60px;
  background-repeat: no-repeat;
}

...
<script type="text/javascript">
//include throttle
var throttle = 3;
var throttleVal = Math.floor(Math.random() * throttle);
if (throttleVal == 0 ) {
  $('#mobileSurvey2011').show();
  $('head').append('<link rel="stylesheet" href="//wikimediafoundation.org/tracker/bannerImpression.php?req=css&surveyView=1 " type="text/css" />');
/*           vvvvv-HERE */
  var url = 'http://wikimedia.limequery.org/52291/lang-'+wgUserLanguage;
  $("#mobileSurvey2011 a.variable_lp").attr("href",url);
...
Comment 11 DavidL 2011-10-13 19:27:33 UTC 
And still many occurrence of http: in
https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=WCI_Registration
Comment 12 DavidL 2011-10-17 10:43:49 UTC 
No one seems to react quickly...
Comment 13 Nimish Gautam 2011-10-17 16:35:48 UTC 
All sorts of randomness was broken on this...all the URLs should be relative on those two active campaigns.
Comment 14 DavidL 2011-10-17 17:24:54 UTC 
Some http: still exists in
https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=2011MobileReaders_anon

Thanks for resolution on other messages.
Comment 15 Nimish Gautam 2011-10-17 18:58:51 UTC 
That banner has several issues with it and should not be used at all...I've intentionally blanked it so if it does get turned on by mistake it doesn't cause any problems.
Comment 16 DavidL 2011-10-18 11:39:07 UTC 
Thanks again for resolution.
Comment 17 DavidL 2011-11-16 21:36:16 UTC 
New global banners -> The problem come back.

I request that everybody creating any global banner knows that http: prefix should be removed from any URL pointer to Wikimedia server.

URL should be protocol relative in links, resource locations, script locations, ...
Comment 18 Brion Vibber 2011-11-16 22:09:28 UTC 
The banners I'm currently seeing logged out on https://en.wikipedia.org/ do not appear to include any non-SSL resources. (I'm seeing two Jimmy banners, no mobile user survey banners.)

Can you copy-paste the target link from any triggering banners you're still seeing?
Comment 19 DavidL 2011-11-16 23:22:30 UTC 
I can see it on commons (not logged in because I closed banner under my account).

When on https://commons.wikimedia.org

The image is http://upload.wikimedia.org/wikipedia/foundation/7/73/Jimmy_jacket_forest.png

The link is https://wikimediafoundation.org/wiki/Special:LandingCheck?landing_page=L11_1114_FR_Jimmy&utm_medium=sitenotice&utm_campaign=C11_1114_WMFR&utm_source=B11_1114_Foundation_WMFR_JimmyGreen&language=en&country=FR

But the problem is not to correct banner but to inform banner creators. Otherwise this bug will be reopened for each new banner.
Comment 20 Brion Vibber 2011-11-16 23:28:10 UTC 
Hrmmmmm well I don't see *any* fundraising banners on Commons, even logged out.

Maybe they're flipping them on and off... where might they be hiding...
Comment 21 Brion Vibber 2011-11-16 23:29:20 UTC 
Ahh this should be a perfect place to find all offending banners:
https://meta.wikimedia.org/wiki/Special:NoticeTemplate
Comment 23 DavidL 2011-11-16 23:34:43 UTC 
I don't know who are allowed to create banners. But authors should be informed about using protocol relative URLs.
Comment 24 Brion Vibber 2011-11-16 23:36:42 UTC 
The documentation already says that:
https://meta.wikimedia.org/wiki/Help:CentralNotice#Images

The problem ain't updating the documentation, it's finding how to contact whoever's maintaining them so they remember to actually follow it. :)
Comment 25 Brion Vibber 2011-11-16 23:43:26 UTC 
Found folks in #wikimedia-fundraising IRC channel who can help clean them up; apparently these are chapter fundraising banners, not from the WMF team, but they can clean them up and make sure info gets out.
Comment 26 DavidL 2011-11-16 23:47:43 UTC 
Finding authors and their contributions in banners in not as easy as wiki pages.

Thanks for resolving the problem.
Comment 27 Brion Vibber 2011-11-16 23:54:17 UTC 
The three linked above have been fixed; there are a bunch more:

[15:47] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1114_Thermo <- this one's got some too (the termometer images)
[15:47] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1114_Foundation_WMFR_JimmyGreen <- this one with Jimmy_jacket_forest.png again
[15:48] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1114_JKwfCf_US <- and this
[15:48] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1114_JKwfSM_US <- and this
[15:48] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=WMDE_Nov14_0921
[15:49] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1114_btJKwF_FFFv0F0_US
[15:49] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1114_JKwMf_US
[15:49] <PhancyPhysicist> brion: someone has been bad!
[15:49] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1113_btJKwF2_US
[15:49] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1113_btJKwF30M_US
[15:49] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1113_btJKwF_US
[15:50] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1113_btBFwP_US
[15:50] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1113_bt1_US
[15:51] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=WMDE_2011_Nov11_b
[15:51] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=WMDE_2011_Nov11_a
[15:51] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_Donate_Jimmy_Thermo
[15:52] <pgehres> brion: wow.  I happen to know who created most of those banners and will mention it to them
[15:52] <brion> thanks :)
[15:52] <pgehres> np
[15:52] <pgehres> If you're curious, read the CN logs...
Comment 28 Mark A. Hershberger 2011-11-22 21:15:55 UTC 
Patricia Pena is going to send a reminder to people who create these banners.  Please create a new bug if the problem pops up again.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links