Page MenuHomePhabricator

Mobile user survey banner includes non-HTTPS content on HTTPS page view
Closed, ResolvedPublic

Description

While loading https://www.mediawiki.org/wiki/Special:Code/MediaWiki/91123 I found that some sort of "mobile user survey" banner displayed in the sitenotice area, and a mixed-content warning popped up in my browser indicating something was loaded over unencrypted HTTP.

I popped open Firebug to check the network panel to find the culprit and reloaded to populate it, but the banner disappeared and hasn't reappeared so can't confirm it just yet.


Version: unspecified
Severity: major

Details

Reference
bz31446

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 21 2014, 11:51 PM
bzimport added a project: HTTPS.
bzimport set Reference to bz31446.
bzimport added a subscriber: Unknown Object (MLST).

The offending image seems to be http://bits.wikimedia.org/skins-1.17/common/images/closewindow.png

Here's the banner-loader output that triggers:

insertBanner({"bannerName":"2011MobileReaders","bannerHtml":"<style type=\"text\/css\">\n\n#centralNotice.collapsed #mobileSurvey2011 {\n display: none;\n }\n\n#mobileSurvey2011 {\n position: relative;\n overflow: hidden;\n margin-bottom: 0.5em !important;\n background-color: #d7e4fa;\n background-repeat: repeat-x;\n border: solid 1px #a7d7f9; \n display: none;\n}\n\n#mobileSurvey2011-content {\n position:relative;\n padding: 30px 80px;\n text-align: center;\n}\n\n#mobileSurvey2011-logo {\n position: absolute;\n top: 20px;\n left: 25px;\n background-image: url(http:\/\/upload.wikimedia.org\/wikipedia\/commons\/thumb\/1\/12\/Wikimedia_logo_text_RGB.svg\/60px-Wikimedia_logo_text_RGB.svg.png);\n height: 60px;\n width: 60px;\n background-repeat: no-repeat;\n}\n\n#mobileSurvey2011 #cn-toggle-box {\n position: absolute;\n z-index: 98;\n top: 5px;\n right: 5px;\n }\n<\/style>\n\n<div id=\"mobileSurvey2011\">\n <div id=\"mobileSurvey2011-logo\"> <\/div>\n <div id=\"mobileSurvey2011-content\">\n <span style=\"font-size: 1.3em;\">Please take the <a class=\"variable_lp\" href=\"#\">2011 Wikipedia Mobile Readers Survey<\/a>.<\/span><br \/>\n <span style=\"font-style: italic; font-size: 0.9em;\">Share your experiences and improve mobile Wikipedia.<\/span>\n <\/div>\n <div id=\"cn-toggle-box\">\n <a href=\"#\" onclick=\"toggleNotice();$('#mobileSurvey2011').hide();return false;\"><img border=\"0\" src=\"http:\/\/bits.wikimedia.org\/skins-1.17\/common\/images\/closewindow.png\" alt=\"Close\" \/><\/a>\n <\/div>\n\n<\/div>\n<script type=\"text\/javascript\">\n\/\/include throttle\nvar throttle = 5;\nvar throttleVal = Math.floor(Math.random() * throttle);\nif (throttleVal == 0 ) {\n $('#mobileSurvey2011').show();\n $('head').append('<link rel=\"stylesheet\" href=\"http:\/\/wikimediafoundation.org\/tracker\/bannerImpression.php?req=css&surveyView=1 \" type=\"text\/css\" \/>');\n var url = 'http:\/\/wikimedia.limequery.org\/52291\/lang-'+wgUserLanguage;\n $(\"#mobileSurvey2011 a.variable_lp\").attr(\"href\",url);\n\n}\n<\/script>","campaign":"Mobile Readers Survey","fundraising":"0","landingPages":""});

I added a note on [[meta:Help:CentralNotice]] recommending use of protocol-relative URLs for images.

https://meta.wikimedia.org/wiki/Help:CentralNotice#Images

Now that you've posted the note, is there anything else to do?

Yeah that banner needs to be fixed!

lambdav wrote:

Internet Explorer 9 debugging tools reports the "HTTPS compromised security" error message for the following 2 files :

http://bits.wikimedia.org/skins-1.17/common/images/closewindow.png
http://wikimediafoundation.org/tracker/banner/Impression.php?req=css&surveyView=1

It need to be fixed by using protocol relative URLs, by removing the http prefix:

//bits.wikimedia.org/skins-1.17/common/images/closewindow.png
//wikimediafoundation.org/tracker/banner/Impression.php?req=css&surveyView=1

Assigning to Tomasz, he'll know who to poke. :)

ngautam wrote:

Appropriate changes made to banner

(In reply to comment #8)

Appropriate changes made to banner

Thanks for taking care of it so quick Nimish.

lambdav wrote:

I still cannot see changes. The http: prefix is still present in 2 templates used by the banner (6 occurrences) :

4 occurrences of http: in
https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=2011MobileReaders_anon

...
#mobileSurvey2011-logo {

position: absolute;
top: 20px;
left: 25px;
                  /** vvvvv-HERE **/
background-image: url(http://upload.wikimedia.org/wikipedia/commons/thumb/1/12/Wikimedia_logo_text_RGB.svg/60px-Wikimedia_logo_text_RGB.svg.png);

...
<div id="mobileSurvey2011">

<div id="mobileSurvey2011-logo"> </div>
<div id="mobileSurvey2011-content">
  <span style="font-size: 1.3em;">{{{please-take}}}</span><br />
  <span style="font-style: italic; font-size: 0.9em;">{{{share}}}</span>
</div>
<div id="cn-toggle-box">

<!-- vvvvv-HERE -->

<a href="#" onclick="toggleNotice();$('#mobileSurvey2011').hide();return false;"><img border="0" src="http://bits.wikimedia.org/skins-1.17/common/images/closewindow.png" alt="Close" /></a>

...
<script type="text/javascript">
//include throttle
var throttle = 5;
var throttleVal = Math.floor(Math.random() * throttle);
if (throttleVal == 0 ) {

$('#mobileSurvey2011').show();

/* vvvvv-HERE */

$('head').append('<link rel="stylesheet" href="http://wikimediafoundation.org/tracker/bannerImpression.php?req=css&surveyView=1 " type="text/css" />');

/* vvvvv-HERE */

var url = 'http://wikimedia.limequery.org/52291/lang-'+wgUserLanguage;

...

2 occurrences of http: in
https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=2011MobileReaders
...
#mobileSurvey2011-logo {

position: absolute;
top: 20px;
left: 25px;

/* vvvvv-HERE */

background-image: url(http://upload.wikimedia.org/wikipedia/commons/thumb/1/12/Wikimedia_logo_text_RGB.svg/60px-Wikimedia_logo_text_RGB.svg.png);
height: 60px;
width: 60px;
background-repeat: no-repeat;

}

...
<script type="text/javascript">
//include throttle
var throttle = 3;
var throttleVal = Math.floor(Math.random() * throttle);
if (throttleVal == 0 ) {

$('#mobileSurvey2011').show();
$('head').append('<link rel="stylesheet" href="//wikimediafoundation.org/tracker/bannerImpression.php?req=css&surveyView=1 " type="text/css" />');

/* vvvvv-HERE */

var url = 'http://wikimedia.limequery.org/52291/lang-'+wgUserLanguage;
$("#mobileSurvey2011 a.variable_lp").attr("href",url);

...

lambdav wrote:

No one seems to react quickly...

ngautam wrote:

All sorts of randomness was broken on this...all the URLs should be relative on those two active campaigns.

ngautam wrote:

That banner has several issues with it and should not be used at all...I've intentionally blanked it so if it does get turned on by mistake it doesn't cause any problems.

lambdav wrote:

Thanks again for resolution.

lambdav wrote:

New global banners -> The problem come back.

I request that everybody creating any global banner knows that http: prefix should be removed from any URL pointer to Wikimedia server.

URL should be protocol relative in links, resource locations, script locations, ...

The banners I'm currently seeing logged out on https://en.wikipedia.org/ do not appear to include any non-SSL resources. (I'm seeing two Jimmy banners, no mobile user survey banners.)

Can you copy-paste the target link from any triggering banners you're still seeing?

lambdav wrote:

I can see it on commons (not logged in because I closed banner under my account).

When on https://commons.wikimedia.org

The image is http://upload.wikimedia.org/wikipedia/foundation/7/73/Jimmy_jacket_forest.png

The link is https://wikimediafoundation.org/wiki/Special:LandingCheck?landing_page=L11_1114_FR_Jimmy&utm_medium=sitenotice&utm_campaign=C11_1114_WMFR&utm_source=B11_1114_Foundation_WMFR_JimmyGreen&language=en&country=FR

But the problem is not to correct banner but to inform banner creators. Otherwise this bug will be reopened for each new banner.

Hrmmmmm well I don't see *any* fundraising banners on Commons, even logged out.

Maybe they're flipping them on and off... where might they be hiding...

Ahh this should be a perfect place to find all offending banners:
https://meta.wikimedia.org/wiki/Special:NoticeTemplate

lambdav wrote:

I don't know who are allowed to create banners. But authors should be informed about using protocol relative URLs.

The documentation already says that:
https://meta.wikimedia.org/wiki/Help:CentralNotice#Images

The problem ain't updating the documentation, it's finding how to contact whoever's maintaining them so they remember to actually follow it. :)

Found folks in Wikimedia-Fundraising IRC channel who can help clean them up; apparently these are chapter fundraising banners, not from the WMF team, but they can clean them up and make sure info gets out.

lambdav wrote:

Finding authors and their contributions in banners in not as easy as wiki pages.

Thanks for resolving the problem.

The three linked above have been fixed; there are a bunch more:

[15:47] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1114_Thermo <- this one's got some too (the termometer images)
[15:47] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1114_Foundation_WMFR_JimmyGreen <- this one with Jimmy_jacket_forest.png again
[15:48] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1114_JKwfCf_US <- and this
[15:48] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1114_JKwfSM_US <- and this
[15:48] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=WMDE_Nov14_0921
[15:49] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1114_btJKwF_FFFv0F0_US
[15:49] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1114_JKwMf_US
[15:49] <PhancyPhysicist> brion: someone has been bad!
[15:49] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1113_btJKwF2_US
[15:49] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1113_btJKwF30M_US
[15:49] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1113_btJKwF_US
[15:50] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1113_btBFwP_US
[15:50] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_1113_bt1_US
[15:51] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=WMDE_2011_Nov11_b
[15:51] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=WMDE_2011_Nov11_a
[15:51] <brion> https://meta.wikimedia.org/w/index.php?title=Special:NoticeTemplate/view&template=B11_Donate_Jimmy_Thermo
[15:52] <pgehres> brion: wow. I happen to know who created most of those banners and will mention it to them
[15:52] <brion> thanks :)
[15:52] <pgehres> np
[15:52] <pgehres> If you're curious, read the CN logs...

Patricia Pena is going to send a reminder to people who create these banners. Please create a new bug if the problem pops up again.