Page MenuHomePhabricator

Wikimedia blog has unsecured elements on https
Closed, InvalidPublic

Description

When I access the Wikimedia blog on https, I get a warning on chrome that it contains unsecured elements, which means the site isn't completely secure. They need to be found and made secure.


Version: wmf-deployment
Severity: normal

Details

Reference
bz62488

Related Objects

StatusAssignedTask
OpenBBlack
ResolvedBBlack
ResolvedArielGlenn
ResolvedChmarkine
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedCCogdill_WMF
DeclinedBBlack
DuplicateBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedBBlack
ResolvedNone
ResolvedBBlack
InvalidNone

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 2:57 AM
bzimport added a project: Wikimedia-Blog.
bzimport set Reference to bz62488.
bzimport added a subscriber: Unknown Object (MLST).

One is the information button of "For versions in other languages, please check the wiki version of this report, or add your own translation there!", and another is "‘Tofu’ Detection". Both are from blog content instead of the software.

Take a look at the pictures, looking at my console I getting,

The page at 'https://blog.wikimedia.org/' was loaded over HTTPS, but displayed insecure content from 'http://upload.wikimedia.org/wikipedia/commons/7/7d/ULS-WebFonts-Workflow-Diagram.png': this content should also be loaded over HTTPS.
blog.wikimedia.org/:1

The page at 'https://blog.wikimedia.org/' was loaded over HTTPS, but displayed insecure content from 'http://upload.wikimedia.org/wikipedia/commons/7/7d/ULS-WebFonts-Workflow-Diagram.png': this content should also be loaded over HTTPS.
blog.wikimedia.org/:177

The page at 'https://blog.wikimedia.org/' was loaded over HTTPS, but displayed insecure content from 'http://upload.wikimedia.org/wikipedia/commons/thumb/3/35/Information_icon.svg/32px-Information_icon.svg.png': this content should also be loaded over HTTPS.

It's the images that are causing the warnings, they should be loaded with https, not http.

(In reply to Techman224 from comment #2)

Take a look at the pictures, looking at my console I getting,
The page at 'https://blog.wikimedia.org/' was loaded over HTTPS, but
displayed insecure content from
'http://upload.wikimedia.org/wikipedia/commons/7/7d/ULS-WebFonts-Workflow-
Diagram.png': this content should also be loaded over HTTPS.
blog.wikimedia.org/:1
The page at 'https://blog.wikimedia.org/' was loaded over HTTPS, but
displayed insecure content from
'http://upload.wikimedia.org/wikipedia/commons/7/7d/ULS-WebFonts-Workflow-
Diagram.png': this content should also be loaded over HTTPS.
blog.wikimedia.org/:177
The page at 'https://blog.wikimedia.org/' was loaded over HTTPS, but
displayed insecure content from
'http://upload.wikimedia.org/wikipedia/commons/thumb/3/35/Information_icon.
svg/32px-Information_icon.svg.png': this content should also be loaded over
HTTPS.
It's the images that are causing the warnings, they should be loaded with
https, not http.

This is like what happens when a sysop puts importScriptURI("http://bits.wikimedia.org/...") in MediaWiki:Common.js. There's nothing that can be done from developer or sysadmin side. Ask blog post writers to fix them.

Chmarkine set Security to None.
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptJan 29 2016, 1:27 PM