ID:2438855
 
Hey all, I've had a bunch of issues lately from users of the HTTPS Everywhere plugin.

Basically, when the site was first designed it was not intended that SSL connections would be used for ordinary page views, only for stuff like managing your account, editing hub entries, etc. Common wisdom on the Internet has changed since then, but it'll need a bit of a redesign on my part to make it possible to view the www subdomain via HTTPS.

I've had reports of several types of issues from users who use the HTTPS Everywhere plugin, but the main ones are:
  • User tries to post to the forums, but it kicks them out to a different page and never makes the post, as if they're not logged in. This is because they are not in fact logged in on the regular site, because of HTTPS Everywhere.
  • User tries to do an account reset, but never receives the email. The form that gets sent via POST request goes to the regular site, not the secure site. (This is okay because there's no secure info in the form.) The plugin apparently chokes when trying to redirect POST requests.
Long-term I intend to make changes to make the site work nicely with HTTPS Everywhere. For now however, I suggest disabling the plugin on byond.com.

Please also note: The webclient will not work AT ALL with HTTPS Everywhere. This is because the connection it makes to an individual game server uses ordinary HTTP and websocket connections, not secure ones, so browsers will simply throw mixed-content errors instead.

Update: Using the www subdomain with the https protocol is now supported. BUT, you should by no means use the "secure" subdomain for pages that weren't explicitly meant for it: account settings, hub entry editing, etc. E.g. if you have a link that takes you to a forum page on the secure subdomain, you should be on the www subdomain instead. Those old links are outdated and mainly come from people having accidentally or incorrectly misused HTTPS Everywhere. In a future iteration I plan to force users to revert to the www subdomain for most links.
Please also note: The webclient will not work AT ALL with HTTPS Everywhere. This is because the connection it makes to an individual game server uses ordinary HTTP and websocket connections, not secure ones, so browsers will simply throw mixed-content errors instead.

For clarification, the rule I added to https everywhere exempts the play directory.

Also, If you could make downloads (including the main download page) use https that solves the main reason I added the rule.

I'll go pr a rule removal to https everywhere.

edit: https://github.com/EFForg/https-everywhere/pull/17622