khawk said:

bzt said:
If it's not possible to revert to the old platform, could you just please fix that supposed-to-be CSRF protection thing? It literally worth nothing, and it is very annoying that I have to hack http referer lines into the requests every time I log in. Thanks.

I'm not clear what you're asking. Are you wanting to bypass CSRF protection?

bzt said:
Also I got many times 502 Internal server error and/or Bad gateway since you switched to this platform. Could you check on these? Today (in the last hour) I had at least 5 times this issue, you can match the time with the logs.

These are being worked on. Apologies for the inconvenience everyone has had with 502s today.

Hi,

I'm trying to tell you, that the so called "CSRF protection" of this forum engine is NOT working at all. I don't want to, but I must bypass it every time I want to log in. I have a secure environment, which does not allow referer to be sent along with the http requests, as that would allow hidden tracking. Javascript is also disabled by default in my browser, and this engine can't even load the CSS without JS (seriously, why?).

For a proper CSRF protection, you should generate a token on the server side (let's say an sha512 hash of a random number), save it in the session and also put it in a hidden field on the form, then check it with the POST request. Regenerate the token for every page generation. That's the proper way, not foolishly checking the HTTP referer header which can be manipulated extremely easily.

Without JS, you won't get CSS either on this forum, which is just terrible and unreasonable. But not only that, it also reveals that the design of this site is not optimized at all, for example the default user icon (generic-user.png) is so F*NG HUGE that you simply can't read the site, because covers out half of the screen. Also, storing and sending a 560 x560 pixels picture to every single client when it's resized to 44 x 44 anyway is, well, how to put it politely, not entirely sane. It takes lots of unnecessary bandwidth, which may cause some of your server issues as well.

Please don't feel offended, I'm telling this to help you make this site better. It is often difficult to point out security issues in my experience, because admins don't like to admit if their site is vulnerable. I can definitely help you if you want my help.

Cheers,
bzt

(Just to be clear, it's not the generic-user.png alone that might cause your troubles, but the unoptimized design in general with lots of little things that adds up.)

This is how the new design looks like on my browser. Just for the records, it's not the generic-user icon that might cause your troubles, but the unoptimized design in general.

image

Is the 'image' part of the demonstration (i see no link, just the plain text "image") or is something wrong on my side with the display of images ?

I still can't edit. I pasted in an image in my previous post via the clipboard, it is not shown (yet ?) ...

bzt said:
Javascript is also disabled by default in my browser, and this engine can't even load the CSS without JS (seriously, why?).

I really don't know what to tell you about the JS . In order to implement the forum features demanded by this community, JS is required. With JS required, it's not stretch to add CSS loading to JS as well when it simplifies deployment and aspects of implementation.

You're accurate that the site is not optimized right now. Very little has been done to optimize up to this point.

Re: CSRF, you are correct that adding it to the header is an exploit, except this is actually the CSRF implementation:

bzt said:
For a proper CSRF protection, you should generate a token on the server side (let's say an sha512 hash of a random number), save it in the session and also put it in a hidden field on the form, then check it with the POST request. Regenerate the token for every page generation. That's the proper way, not foolishly checking the HTTP referer header which can be manipulated extremely easily.

Adding it to the header as an additional check is explained here: https://security.stackexchange.com/questions/96114/why-is-referer-checking-needed-for-django-to-prevent-csrf. Since adding it to the header is not required with HSTS, that will be checked shortly.

Also thanks for noticing the default user icon had not been resized. That was forgotten in the crunch pre-conversion.

Green_Baron said:
I still can't edit. I pasted in an image in my previous post via the clipboard, it is not shown (yet ?) ...

Firefox's issue with editing, which requires JS, has not been looked at yet, and if I remember right you're using FF so you won't be able to edit until that is fixed. Planning to look at that shortly.

The "image" text above might have been a hiccup with an image upload. Just tested locally and seems copy and paste for images isn't uploading the image at the moment, so I'll address that. Drag/drop and toolbar are working.

Fix for copy and paste images forthcoming.

Have a cookie :-)

Sadly, I must agree that this seems like a giant step back. Different visuals I can adjust to, but the menus jump around for me, the screen partitioning is… confusing, and nothing works on either my phone or my palmtop mobile device. Everything locks and misbehaves, making the site literally unusable on anything but a traditional PC for me. And that makes this little panda very sad….

EDIT: It alsp claims that posting a comment fails, when it clearly does not. You see me, right? Right?? Oh god the meds are kicking in… is this real?! IS ANYTHING REAL???