Page MenuHomePhabricator
Create Task
Maniphest T64488

Wikimedia blog has unsecured elements on https
Closed, InvalidPublic
Actions

Description

When I access the Wikimedia blog on https, I get a warning on chrome that it contains unsecured elements, which means the site isn't completely secure. They need to be found and made secure.

Version: wmf-deployment
Severity: normal

Details

Reference
bz62488

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedBBlackT104681 HTTPS Plans (tracking / high-level info)
 ResolvedBBlackT102824 Clean up DNS/redirects for TLS
 ResolvedArielGlennT107575 download.wiki[mp]edia.org are using an invalid certificate
 ResolvedChmarkineT110511 sitemap.wikimedia.org uses invalid SSL certificate
 ResolvedBBlackT104244 Preload HSTS
 ResolvedBBlackT102814 Decom old multiple-subdomain wikis in wikipedia.org
 ResolvedBBlackT104942 TLS and *.wap/*.mobile multi-level subdomains of wikipedia.org
 ResolvedBBlackT102815 Decom www.$lang hostnames/redirects
 ResolvedBBlackT102826 Fix/decom multiple-subdomain wikis in wikimedia.org
 ResolvedBBlackT102827 Decide what to do with *.donate.wikimedia.org subdomain + TLS
 Resolved CCogdill_WMFT130414 delete links.email.donate.wikimedia.org (and all other email.donate.*?) from DNS
 DeclinedBBlackT111967 Preload HSTS for select hostnames within wikimedia.org
 DuplicateBBlackT111998 investigate/remove hostname login.m.wikimedia.org
 ResolvedBBlackT40516 Enable HSTS on Wikimedia sites
 ResolvedBBlackT132521 Enforce HTTPS+HSTS on remaining one-off sites in wikimedia.org that don't use standard cache cluster termination
 ResolvedBBlackT132452 HSTS preload for wmfusercontent.org
 ResolvedBBlackT132685 Preload STS for wikimedia.org
 ResolvedBBlackT34796 status.wikimedia.org has no (valid) HTTPS
 ResolvedBBlackT132450 enable https for (ubuntu|apt|mirrors).wikimedia.org
 ResolvedBBlackT132812 Sort out letsencrypt puppetization for simple public hosts
 ResolvedNoneT104728 make blog links from wmfwiki front page use HTTPS links
 ResolvedBBlackT105905 Switch blog to HTTPS-only
 InvalidNoneT64488 Wikimedia blog has unsecured elements on https

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 2:57 AM
bzimport added a project: Diff-blog.
bzimport set Reference to bz62488.
bzimport added a subscriber: Unknown Object (MLST).
Techman224 created this task.Mar 10 2014, 4:01 PM
liangent added a comment.Mar 10 2014, 4:31 PM

One is the information button of "For versions in other languages, please check the wiki version of this report, or add your own translation there!", and another is "‘Tofu’ Detection". Both are from blog content instead of the software.

Techman224 added a comment.Mar 10 2014, 5:31 PM

Take a look at the pictures, looking at my console I getting,

The page at 'https://blog.wikimedia.org/' was loaded over HTTPS, but displayed insecure content from 'http://upload.wikimedia.org/wikipedia/commons/7/7d/ULS-WebFonts-Workflow-Diagram.png': this content should also be loaded over HTTPS.
blog.wikimedia.org/:1

The page at 'https://blog.wikimedia.org/' was loaded over HTTPS, but displayed insecure content from 'http://upload.wikimedia.org/wikipedia/commons/7/7d/ULS-WebFonts-Workflow-Diagram.png': this content should also be loaded over HTTPS.
blog.wikimedia.org/:177

The page at 'https://blog.wikimedia.org/' was loaded over HTTPS, but displayed insecure content from 'http://upload.wikimedia.org/wikipedia/commons/thumb/3/35/Information_icon.svg/32px-Information_icon.svg.png': this content should also be loaded over HTTPS.

It's the images that are causing the warnings, they should be loaded with https, not http.

liangent added a comment.Mar 10 2014, 5:45 PM

(In reply to Techman224 from comment #2)

Take a look at the pictures, looking at my console I getting,

The page at 'https://blog.wikimedia.org/' was loaded over HTTPS, but
displayed insecure content from
'http://upload.wikimedia.org/wikipedia/commons/7/7d/ULS-WebFonts-Workflow-
Diagram.png': this content should also be loaded over HTTPS.
blog.wikimedia.org/:1

The page at 'https://blog.wikimedia.org/' was loaded over HTTPS, but
displayed insecure content from
'http://upload.wikimedia.org/wikipedia/commons/7/7d/ULS-WebFonts-Workflow-
Diagram.png': this content should also be loaded over HTTPS.
blog.wikimedia.org/:177

The page at 'https://blog.wikimedia.org/' was loaded over HTTPS, but
displayed insecure content from
'http://upload.wikimedia.org/wikipedia/commons/thumb/3/35/Information_icon.
svg/32px-Information_icon.svg.png': this content should also be loaded over
HTTPS.

It's the images that are causing the warnings, they should be loaded with
https, not http.

This is like what happens when a sysop puts importScriptURI("http://bits.wikimedia.org/...") in MediaWiki:Common.js. There's nothing that can be done from developer or sysadmin side. Ask blog post writers to fix them.

Dzahn added a parent task: T105905: Switch blog to HTTPS-only.Jan 28 2016, 8:21 PM
Chmarkine added a project: HTTPS.Jan 29 2016, 1:27 PM
Chmarkine set Security to None.
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptJan 29 2016, 1:27 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL