Forum/download/etc HTTPS/SSL

BYOND Forums

Announcements · BYOND Help · Bug Reports · Feature Requests · Beta Testers · Beta Bugs · Developer Help · Design Philosophy · Demos & Libraries · Tutorials & Snippets · Art & Sound · Classified Ads · Game Updates · Contests & Events · Linux Talk · On Topic · Off Topic

ID:2134784

Aug 19 2016, 2:26 pm

GinjaNinja32

Applies to:

Website

Status:

Open

Issue hasn't been assigned a status value.

http://www.byond.com/forum/?post=2134407 made me investigate the SSL situation here a bit more.

- The whole site *works* via HTTPS, provided you use secure.byond.com (which is redirected to from https://www.byond.com, but interestingly not from https://byond.com
- Every link on a page loaded via HTTPS will just take you back to an HTTP page.
- secure.byond.com is just a CNAME for byond.com

The forum *should* be usable over SSL; the certificate you're using is a wildcard already, so you wouldn't need another cert for www.byond.com, and your webserver can already serve pages over HTTPS; the only issue is that every link is explicitly set to use the HTTP protocol instead of HTTPS;
For example, the "Forums" link, right at the top, is

<a class="mainmenu" href="http://www.byond.com/forum/"><span class=menu_center></span><span>Forums</span></a>

when it should be

<a class="mainmenu" href="/forum/"><span class=menu_center></span><span>Forums</span></a>

Ideally the whole site would be accessible via SSL, without having to edit the URL every time you loaded a page.

Aug 19 2016, 6:49 pm
MrStonedOne	at this stage you might as well redirect http to https.

Aug 21 2016, 1:54 am

Nadrew

For the time being, you can use a userscript set to run at document-start to force the page into the https version of the site no matter what, you do end up loading the original page to the point of the javascript (line 1) but it seems to work.

// ==UserScript==
// @name         HTTPS Force
// @namespace    BYOND
// @version      0.1
// @description  Force HTTPS
// @author       Nadrew
// @match        http://www.byond.com/*
// @grant        none
// ==/UserScript==

(function() {
    'use strict';

    if(window.location.protocol != "https"){
        window.location.href = "https:" + window.location.href.substring(window.location.protocol.length);
    }
})();

Only runs on the http side of the site, so it won't be embedded at all on the https side.

Aug 21 2016, 5:50 am (Edited on Aug 21 2016, 6:03 am)

In response to Nadrew

GinjaNinja32

I did a bit of tweaking and found a better way to do it:

// ==UserScript==
// @name         HTTPS Force
// @namespace    BYOND
// @version      0.1
// @description  Force HTTPS
// @author       Nadrew & GinjaNinja32
// @match        *.byond.com/*
// @grant        none
// ==/UserScript==

(function() {
    'use strict';

    if(window.location.href.match(/^http:/)) {
        window.location.href = window.location.href.replace(/^http:/, "https:");
    }

    var links = document.links;
    for(var i = 0; i < links.length; i++) {
        links[i].href = links[i].href.replace(/^http:\/\/(?:www.)?byond.com\//, "https://secure.byond.com/");
    }
})();

Essentially, instead of realising we clicked an http://byond.com link, it replaces the http:// links with https:// before you even see them. No loading the HTTP page then reloading to the HTTPS this way.

edit: added your http-to-https part back in; it's useful if you navigate or are linked directly to the HTTP version.

Aug 21 2016, 7:05 am
MrStonedOne	Chrome is still hiding the green marker because form targets are still http.

Aug 21 2016, 7:18 am

GinjaNinja32

It's not perfect (it still doesn't show the green marker), but the following fixes the forms too. Chromium doesn't seem to notice it was changed, hence the lack of green marker.

// ==UserScript==
// @name         BYOND HTTPS Force
// @namespace    BYOND
// @version      0.1
// @description  Force HTTPS
// @author       Nadrew & GinjaNinja32
// @match        *.byond.com/*
// @grant        none
// ==/UserScript==

(function() {
    'use strict';

    function replaceWithSecure(text) {
        return text.replace(/^http:\/\/(?:www\.)?byond\.com\//, "https://secure.byond.com/");
    }

    if(window.location.href.match(/^http:/)) {
        window.location.href = window.location.href.replace(/^http:/, "https:");
    }

    var i;

    var links = document.links;
    for(i = 0; i < links.length; i++) {
        links[i].href = replaceWithSecure(links[i].href);
    }

    var forms = document.getElementsByTagName("form");
    for(i = 0; i < forms.length; i++) {
        forms[i].action = replaceWithSecure(forms[i].action);
    }
})();

Aug 21 2016, 4:45 pm
Optimumtact	why not make the forum ssl by default?

Aug 21 2016, 6:30 pm
Nadrew	This is just a way to get it that way without having to wait for Lummox to update the website (which is a bit trickier than you'd expect)

Aug 22 2016, 4:45 am In response to GinjaNinja32
PJB3005	For some reason GreaseMonkey on FireFox didn't parse the `@match` block correctly on my end so I had to change it to `://.byond.com/*`