Security alert
Discussion
anonymous said:
[redacted]
I hate to be blunt but you're wrong.If the ad is prevented from even being loaded by the browser, it isn't there in the first place to be able to throw the security error.
I used to whitelist PH until they started going mental with noisy ads, massive ads, ads obscuring parts of the page or causing content shift and taking ages to load - that and the constant bleating of "...it's not our fault, it's a 3rd party.." meant I wouldn't tolerate ads from them any more, especially if they're unable to control WHAT is being shown and by whom. Anything could be being served up and PH would have no idea/control.
Since blacklisting the site it's faster, cleaner, less cluttered and SILENT. I don't give a monkey's about whatever it's losing them in views - they had their chance several times and lost my goodwill. I also can't think of a time where I've ever clicked on an ad on PH even when I saw them. <shrug>
Funk said:
I hate to be blunt but you're wrong.
If the ad is prevented from even being loaded by the browser, it isn't there in the first place to be able to throw the security error.
I used to whitelist PH until they started going mental with noisy ads, massive ads, ads obscuring parts of the page or causing content shift and taking ages to load - that and the constant bleating of "...it's not our fault, it's a 3rd party.." meant I wouldn't tolerate ads from them any more, especially if they're unable to control WHAT is being shown and by whom. Anything could be being served up and PH would have no idea/control.
Since blacklisting the site it's faster, cleaner, less cluttered and SILENT. I don't give a monkey's about whatever it's losing them in views - they had their chance several times and lost my goodwill. I also can't think of a time where I've ever clicked on an ad on PH even when I saw them. <shrug>
^^If the ad is prevented from even being loaded by the browser, it isn't there in the first place to be able to throw the security error.
I used to whitelist PH until they started going mental with noisy ads, massive ads, ads obscuring parts of the page or causing content shift and taking ages to load - that and the constant bleating of "...it's not our fault, it's a 3rd party.." meant I wouldn't tolerate ads from them any more, especially if they're unable to control WHAT is being shown and by whom. Anything could be being served up and PH would have no idea/control.
Since blacklisting the site it's faster, cleaner, less cluttered and SILENT. I don't give a monkey's about whatever it's losing them in views - they had their chance several times and lost my goodwill. I also can't think of a time where I've ever clicked on an ad on PH even when I saw them. <shrug>
Pretty much where I am too tbh.
I love that PH is free and I get that this is, to some degree, due to advertising.
I don't have a huge issue with targeted ads.
I do have a huge issue when a sites consistent line is "Sorry, it's a third party's fault" as that's a PR way of saying "We aren't in control of what our website is showing you".
768 said:
FWIW these will be because they've removed the Content Security Policy and now allow loading of HTTP images and other insecure "passive" content.
Which is a separate issue from a domain serving a certificate with the name of another host.
Problem is how are they to allow embedded images on here whilst maintaining HTTPS? As soon as they allow an inline HTTP image to load it's going to break the HTTPS connection.Which is a separate issue from a domain serving a certificate with the name of another host.
Looking at the list of resources loaded on this thread - it's the embedded images from thumbsnap.com and tinypic.com doing it. In the case of thumbsnap.com you can actually serve a HTTPS version instead - i.e. change http://thumbsnap.com/sc/RhhCRGn7.png to https://thumbsnap.com/sc/RhhCRGn7.png. tinypic.com doesn't appear to support HTTPS linking.
If it were me and I was asked to solve the problem, I'd rewrite the [IMG] handler to first check to see if the URL a forum user provides can be fetched over HTTPS instead, and if so change the URL to that, and if not to either reject the image completely (advise the user to upload that image somewhere else), or fetch that image and host it locally under the *.pistonheads.com domain.
Really depends on how much Haymarket care about this stuff really.
PS. Use uBlock Origin (not uBlock) - it is much better than Adblock Plus, who sold out to advertisers a long time ago with default-on whitelisting of ad firms who paid them to.
Edited by Durzel on Wednesday 26th April 17:58
Durzel said:
...or fetch that image and host it locally under the *.pistonheads.com domain.
I think copyright is an issue there, if it weren't the simple answer would be to add the CSP back in, scrape all the existing HTTP images, host them and not allow any more.There's no good answer I know of, just compromises.
Gassing Station | Website Feedback | Top of Page | What's New | My Stuff