X
Tap here to go to the mobile version of the site.
An updated version of Firefox is available to address the issues with Add-ons disabled or fail to install on Firefox. You can download the update for your OS here: https://www.mozilla.org/firefox/new/ For Known Issues and Workarounds, please check out the update at https://support.mozilla.org/kb/add-ons-disabled-or-fail-to-install-firefox

Support Forum

Outgoing http links from deviantArt incorrectly go to https

Posted

In Firefox, clicking outgoing links on the deviantArt web site -- https://www.deviantart.com -- to http protocol sites instead go to the equivalent https site--and fail, if there is no https site. This error occurs in Firefox, but not in Chrome or Edge. And it does not occur in Firefox if you copy and paste the link, rather than clicking it directly.

For instance, the artwork description on this page

https://www.deviantart.com/smbhax/art/Visual-792896874

includes an outgoing link with the URL

https://www.deviantart.com/users/outgoing?http://smbhax.com/?e=0036&d=0024

If you copy and paste that link off of the deviantArt page and into Firefox's navigation bar, it correctly goes to deviantArt's redirect page, and clicking the link there takes you to the specified page on http://smbhax.com site, http://smbhax.com/?e=0036&d=0024 .

However, if you directly click that same outgoing link in the description on https://www.deviantart.com/smbhax/art/Visual-792896874 , no redirect page appears, and the browser ends up showing an incorrect, https address in the nav bar

https://smbhax.com/?e=0036&d=0024

while displaying an error page saying

"Unable to connect

Firefox can’t establish a connection to the server at smbhax.com."

Firefox should not be attempting to go to the https address, as the link specified through deviantArt's redirect is an http address. I don't *think* this is an error with dA's redirect function; as I mentioned, clicking the outgoing links goes to the http site properly in Chrome and Edge, and copying and pasting the outgoing link into Firefox's navigation bar, instead of clicking on it directly, works correctly. I contacted dA's support and they suggested it was a browser issue. However, it is possible that Chrome and Edge are invisibly redirecting the failed https request to http--although I would think that in that case they would at least prompt the user, but I really have no idea.

I created a new Firefox profile, changed no settings, and the problem of clicking the link from dA and being taken to the https site instead of the specified http site still occurred.

In Firefox, clicking outgoing links on the deviantArt web site -- https://www.deviantart.com -- to http protocol sites instead go to the equivalent https site--and fail, if there is no https site. This error occurs in Firefox, but not in Chrome or Edge. And it does not occur in Firefox if you copy and paste the link, rather than clicking it directly. For instance, the artwork description on this page https://www.deviantart.com/smbhax/art/Visual-792896874 includes an outgoing link with the URL https://www.deviantart.com/users/outgoing?http://smbhax.com/?e=0036&d=0024 If you copy and paste that link off of the deviantArt page and into Firefox's navigation bar, it correctly goes to deviantArt's redirect page, and clicking the link there takes you to the specified page on http://smbhax.com site, http://smbhax.com/?e=0036&d=0024 . However, if you directly click that same outgoing link in the description on https://www.deviantart.com/smbhax/art/Visual-792896874 , no redirect page appears, and the browser ends up showing an incorrect, https address in the nav bar https://smbhax.com/?e=0036&d=0024 while displaying an error page saying "Unable to connect Firefox can’t establish a connection to the server at smbhax.com." Firefox should not be attempting to go to the https address, as the link specified through deviantArt's redirect is an http address. I don't *think* this is an error with dA's redirect function; as I mentioned, clicking the outgoing links goes to the http site properly in Chrome and Edge, and copying and pasting the outgoing link into Firefox's navigation bar, instead of clicking on it directly, works correctly. I contacted dA's support and they suggested it was a browser issue. However, it is possible that Chrome and Edge are invisibly redirecting the failed https request to http--although I would think that in that case they would at least prompt the user, but I really have no idea. I created a new Firefox profile, changed no settings, and the problem of clicking the link from dA and being taken to the https site instead of the specified http site still occurred.
Quote

Additional System Details

Installed Plug-ins

OpenH264 Widevine Content Decryption Module

Application

  • Firefox 66.0.3
  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
  • Support URL: https://support.mozilla.org/1/firefox/66.0.3/WINNT/en-US/

Extensions

  • Automatic Reader View 1.0.2 (@automatic-reader-view)
  • Avira Browser Safety 2.6.8.20081 (abs@avira.com)
  • New XKit 7.8.2 (@new-xkit-w)
  • uBlock Origin 1.18.16 (uBlock0@raymondhill.net)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: Intel(R) HD Graphics 4600
  • adapterDescription2: NVIDIA GeForce GTX 950M
  • adapterDeviceID: 0x0416
  • adapterDeviceID2: 0x139a
  • adapterDrivers: igdumdim64 igd10iumd64 igd10iumd64 igd12umd64 igdumdim32 igd10iumd32 igd10iumd32 igd12umd32
  • adapterDrivers2: C:\WINDOWS\System32\DriverStore\FileRepository\nvmiwu.inf_amd64_7b11efeca48cd7d3\nvldumdx.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nvmiwu.inf_amd64_7b11efeca48cd7d3\nvldumdx.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nvmiwu.inf_amd64_7b11efeca48cd7d3\nvldumdx.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nvmiwu.inf_amd64_7b11efeca48cd7d3\nvldumdx.dll C:\WINDOWS\System32\DriverStore\FileRepository\nvmiwu.inf_amd64_7b11efeca48cd7d3\nvldumd.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nvmiwu.inf_amd64_7b11efeca48cd7d3\nvldumd.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nvmiwu.inf_amd64_7b11efeca48cd7d3\nvldumd.dll,C:\WINDOWS\System32\DriverStore\FileRepository\nvmiwu.inf_amd64_7b11efeca48cd7d3\nvldumd.dll
  • adapterRAM: Unknown
  • adapterRAM2: 2048
  • adapterSubsysID: 11131462
  • adapterSubsysID2: 11131462
  • adapterVendorID: 0x8086
  • adapterVendorID2: 0x10de
  • clearTypeParameters: Gamma: 2.2 Pixel Structure: RGB ClearType Level: 100 Enhanced Contrast: 50
  • contentUsesTiling: False
  • crashGuards: []
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 10.0.17763.168
  • driverDate: 10-16-2017
  • driverDate2: 5-1-2017
  • driverVersion: 20.19.15.4835
  • driverVersion2: 22.21.13.8205
  • featureLog: {u'fallbacks': [], u'features': [{u'status': u'available', u'description': u'Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'HW_COMPOSITING'}, {u'status': u'available', u'description': u'Direct3D11 Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'D3D11_COMPOSITING'}, {u'status': u'available', u'description': u'Direct2D', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'DIRECT2D'}, {u'status': u'available', u'description': u'Direct3D11 hardware ANGLE', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'D3D11_HW_ANGLE'}, {u'status': u'available', u'description': u'GPU Process', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'GPU_PROCESS'}, {u'status': u'opt-in', u'description': u'WebRender', u'log': [{u'status': u'opt-in', u'message': u'WebRender is an opt-in feature', u'type': u'default'}], u'name': u'WEBRENDER'}, {u'status': u'blocked', u'description': u'WebRender qualified', u'log': [{u'status': u'available', u'type': u'default'}, {u'status': u'blocked', u'message': u'Has battery', u'type': u'env'}], u'name': u'WEBRENDER_QUALIFIED'}, {u'status': u'available', u'description': u'Off Main Thread Painting', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'OMTP'}, {u'status': u'available', u'description': u'Advanced Layers', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'ADVANCED_LAYERS'}]}
  • info: {u'AzureContentBackend (UI Process)': u'skia', u'AzureCanvasBackend (UI Process)': u'skia', u'ApzWheelInput': 1, u'ApzDragInput': 1, u'ApzKeyboardInput': 1, u'AzureFallbackCanvasBackend (UI Process)': u'cairo', u'ApzAutoscrollInput': 1, u'AzureCanvasAccelerated': 0, u'AzureCanvasBackend': u'direct2d 1.1', u'AzureContentBackend': u'direct2d 1.1'}
  • isGPU2Active: False
  • lowEndMachine: False
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • offMainThreadPaintEnabled: True
  • offMainThreadPaintWorkerCount: 4
  • targetFrameRate: 60
  • usesTiling: False
  • webgl1DriverExtensions: GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_parallel_shader_compile GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture
  • webgl1Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_frag_depth EXT_sRGB EXT_shader_texture_lod EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context
  • webgl1Renderer: Google Inc. -- ANGLE (Intel(R) HD Graphics 4600 Direct3D11 vs_5_0 ps_5_0)
  • webgl1Version: OpenGL ES 2.0 (ANGLE 2.1.0.eff6bfdb1db9)
  • webgl1WSIInfo: EGL_VENDOR: Google Inc. (adapter LUID: 000000000000a27f) EGL_VERSION: 1.4 (ANGLE 2.1.0.eff6bfdb1db9) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled EGL_MOZ_create_context_provoking_vertex_dont_care EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_KHR_debug EGL_ANGLE_explicit_context
  • webgl2DriverExtensions: GL_ANGLE_client_arrays GL_ANGLE_depth_texture GL_ANGLE_explicit_context GL_ANGLE_explicit_context_gles1 GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_multiview GL_ANGLE_pack_reverse_row_order GL_ANGLE_program_cache_control GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_color_buffer_float_rgb GL_CHROMIUM_color_buffer_float_rgba GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_float GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_s3tc_srgb GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_norm16 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_KHR_parallel_shader_compile GL_KHR_robust_buffer_access_behavior GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_EGL_image_external_essl3 GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_surfaceless_context GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object OES_compressed_EAC_R11_signed_texture OES_compressed_EAC_R11_unsigned_texture OES_compressed_EAC_RG11_signed_texture OES_compressed_EAC_RG11_unsigned_texture OES_compressed_ETC2_RGB8_texture OES_compressed_ETC2_RGBA8_texture OES_compressed_ETC2_punchthroughA_RGBA8_texture OES_compressed_ETC2_punchthroughA_sRGB8_alpha_texture OES_compressed_ETC2_sRGB8_alpha8_texture OES_compressed_ETC2_sRGB8_texture
  • webgl2Extensions: EXT_color_buffer_float EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_texture_float_linear WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context
  • webgl2Renderer: Google Inc. -- ANGLE (Intel(R) HD Graphics 4600 Direct3D11 vs_5_0 ps_5_0)
  • webgl2Version: OpenGL ES 3.0 (ANGLE 2.1.0.eff6bfdb1db9)
  • webgl2WSIInfo: EGL_VENDOR: Google Inc. (adapter LUID: 000000000000a27f) EGL_VERSION: 1.4 (ANGLE 2.1.0.eff6bfdb1db9) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_ANGLE_direct_composition EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_stream_producer_d3d_texture EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_CHROMIUM_sync_control EGL_EXT_pixel_format_float EGL_KHR_surfaceless_context EGL_ANGLE_display_texture_share_group EGL_ANGLE_create_context_client_arrays EGL_ANGLE_program_cache_control EGL_ANGLE_robust_resource_initialization EGL_ANGLE_create_context_extensions_enabled EGL_MOZ_create_context_provoking_vertex_dont_care EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses EGL_KHR_debug EGL_ANGLE_explicit_context
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Direct3D 11
  • windowUsingAdvancedLayers: True

Modified Preferences

Misc

  • User JS: No
  • Accessibility: No
jscher2000
  • Top 10 Contributor
8312 solutions 68040 answers

Helpful Reply

Okay, I see why this is happening. DeviantArt has a Content Security Policy header in the first page instructing browsers to upgrade HTTP links to HTTPS. Firefox is applying this to the redirect. I don't know whether Firefox is following web standards or misinterpreting them. Maybe I'll look that up next. Not that this fixes anything, but at least it's not a completely mystery how this occurs.

Step 1: Request the main page

GET https://www.deviantart.com/smbhax/art/Visual-792896874

Response Headers:

HTTP/2.0 200 OK content-security-policy: upgrade-insecure-requests; block-all-mixed-content;

Step 2: Requesting the outbound link

GET https://www.deviantart.com/users/outgoing?http://smbhax.com/?e=0036&d=0024

Response Headers:

HTTP/2.0 302 Found location: http://smbhax.com/?e=0036&d=0024

Step 3: Following the Redirect

Firefox Browser Console message:

Content Security Policy: Upgrading insecure request ‘http://smbhax.com/?e=0036&d=0024’ to use ‘https’

GET https://smbhax.com/?e=0036&d=0024

(Fails)


I can't think of a workaround off the top of my head other than either

(A) If you are viewing DeviantArt in a regular window, right-click the outbound link and Open Link in New Private Window; or

(B) Right-click > Copy Link Location, then paste into the address bar and load from there

The reason that works is you get the intermediate page, and it has a plain link to the external page, and external links are exempt from the HTTPS upgrade.

Okay, I see why this is happening. DeviantArt has a Content Security Policy header in the first page instructing browsers to upgrade HTTP links to HTTPS. Firefox is applying this to the redirect. I don't know whether Firefox is following web standards or misinterpreting them. Maybe I'll look that up next. Not that this fixes anything, but at least it's not a completely mystery how this occurs. '''Step 1: Request the main page''' GET https://www.deviantart.com/smbhax/art/Visual-792896874 ''Response Headers:'' HTTP/2.0 200 OK content-security-policy: '''upgrade-insecure-requests'''; block-all-mixed-content; '''Step 2: Requesting the outbound link''' GET https://www.deviantart.com/users/outgoing?http://smbhax.com/?e=0036&d=0024 ''Response Headers:'' HTTP/2.0 302 Found location: http://smbhax.com/?e=0036&d=0024 '''Step 3: Following the Redirect''' ''Firefox Browser Console message:'' Content Security Policy: Upgrading insecure request ‘http://smbhax''.''com/?e=0036&d=0024’ to use ‘https’ GET https://smbhax.com/?e=0036&d=0024 (Fails) ---- I can't think of a workaround off the top of my head other than either (A) If you are viewing DeviantArt in a regular window, right-click the outbound link and Open Link in New Private Window; or (B) Right-click > Copy Link Location, then paste into the address bar and load from there The reason that works is you get the intermediate page, and it has a plain link to the external page, and external links are exempt from the HTTPS upgrade.
Was this helpful to you? 1
Quote
jscher2000
  • Top 10 Contributor
8312 solutions 68040 answers

I couldn't find a bug on file for this at https://bugzilla.mozilla.org/ and I was thinking of filing a new one saying that when a redirect goes to a different origin, the connection should not be upgraded, but I'm not really sure what is correct. Perhaps DeviantArt should not combine the "must upgrade to secure" with links to external servers? Anyway, it's a really interesting problem.

One possible workaround would be an add-on or script that finds these links and if they are to insecure sites, modifies the link to force display of the intermediate page. For example:

var aels = document.querySelectorAll('a[href*="https://www.deviantart.com/users/outgoing?http://"]');
for (var i=0; i<aels.length; i++){
  var s='noreferrer '; 
  if(aels[i].hasAttribute('rel')){
    s+=aels[i].getAttribute('rel');
  } 
  aels[i].setAttribute('rel', s.trim());
}

Now that I think about it, perhaps it makes more sense to just turn it into a direct link. For example:

var aels = document.querySelectorAll('a[href*="https://www.deviantart.com/users/outgoing?http"]');
for (var i=0; i<aels.length; i++){
  aels[i].href = aels[i].href.replace('https://www.deviantart.com/users/outgoing?', '');
}

Yes, much simpler and faster. Except you don't want to be opening the Web Console each time, so you need a user script engine (e.g., Tampermonkey, Greasemonkey, Violentmonkey) or other tool to run the script automatically when you load the page.

I couldn't find a bug on file for this at https://bugzilla.mozilla.org/ and I was thinking of filing a new one saying that when a redirect goes to a different origin, the connection should not be upgraded, but I'm not really sure what is correct. Perhaps DeviantArt should not combine the "must upgrade to secure" with links to external servers? Anyway, it's a really interesting problem. One possible workaround would be an add-on or script that finds these links and if they are to insecure sites, modifies the link to force display of the intermediate page. For example: <pre>var aels = document.querySelectorAll('a[href*="https://www.deviantart.com/users/outgoing?http://"]'); for (var i=0; i&lt;aels.length; i++){ var s='noreferrer '; if(aels[i].hasAttribute('rel')){ s+=aels[i].getAttribute('rel'); } aels[i].setAttribute('rel', s.trim()); } </pre> Now that I think about it, perhaps it makes more sense to just turn it into a direct link. For example: <pre>var aels = document.querySelectorAll('a[href*="https://www.deviantart.com/users/outgoing?http"]'); for (var i=0; i&lt;aels.length; i++){ aels[i].href = aels[i].href.replace('https://www.deviantart.com/users/outgoing?', &apos;&apos;); } </pre> Yes, much simpler and faster. Except you don't want to be opening the Web Console each time, so you need a user script engine (e.g., Tampermonkey, Greasemonkey, Violentmonkey) or other tool to run the script automatically when you load the page.

Modified by jscher2000

Was this helpful to you? 0
Quote

Question owner

I'd figured out copy and paste works. : ) Good find about the Content Security Policy! Firefox seems to be handling it differently than the other browsers. I wonder if it's supposed to be doing that.

deviantArt's policy statement on upgrading to https https://www.deviantart.com/danlev/journal/DeviantArt-Is-Switching-To-HTTPS-697996906 makes clear that they wanted to force externally served images to use https; not so sure they meant to break outgoing http links, though--the support team suggested maybe the error was just the browser's "warning" when it found the user being redirected to an unencrypted site. Definitely reads like an error rather than a warning, though, especially as there's no way to accept and click through to the intended destination.

I'd figured out copy and paste works. : ) Good find about the Content Security Policy! Firefox seems to be handling it differently than the other browsers. I wonder if it's supposed to be doing that. deviantArt's policy statement on upgrading to https https://www.deviantart.com/danlev/journal/DeviantArt-Is-Switching-To-HTTPS-697996906 makes clear that they wanted to force externally served images to use https; not so sure they meant to break outgoing http links, though--the support team suggested maybe the error was just the browser's "warning" when it found the user being redirected to an unencrypted site. Definitely reads like an error rather than a warning, though, especially as there's no way to accept and click through to the intended destination.
Was this helpful to you?
Quote

Question owner

My concern about this is not for my own use of the links, but for other dA users who might be trying to use my links, and get tripped up by the http to https upgrade if they're running Firefox. In Googling this I found another dA user who had the same concern for viewers about links she was putting on her pieces.

My concern about this is not for my own use of the links, but for other dA users who might be trying to use my links, and get tripped up by the http to https upgrade if they're running Firefox. In Googling this I found another dA user who had the same concern for viewers about links she was putting on her pieces.
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8312 solutions 68040 answers

Helpful Reply

There is a 16-month-old bug on file, and I added a reference to this thread: https://bugzilla.mozilla.org/show_bug.cgi?id=1422284

It generally doesn't help to add comments like "hurry up" and "are we there yet," but if you hear of other popular sites affected by this issue, we could add them to try to get it fixed sooner.

There is a 16-month-old bug on file, and I added a reference to this thread: https://bugzilla.mozilla.org/show_bug.cgi?id=1422284 It generally doesn't help to add comments like "hurry up" and "are we there yet," but if you hear of other popular sites affected by this issue, we could add them to try to get it fixed sooner.
Was this helpful to you? 1
Quote

Question owner

Wonderful! Since there is a bug entry on the underlying problem, does that mean I should mark your comment as "Solved the problem"--or do I leave the support thread open until the bug is actually squashed?

Wonderful! Since there is a bug entry on the underlying problem, does that mean I should mark your comment as "Solved the problem"--or do I leave the support thread open until the bug is actually squashed?
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8312 solutions 68040 answers

It's up to you whether to mark it. The main difference is that the post you mark as a solution appears directly below the question, and the meta data of the page is changed to allow it to come up in web searches. That could be useful, even if it is more "explained" than "solved."

It's up to you whether to mark it. The main difference is that the post you mark as a solution appears directly below the question, and the meta data of the page is changed to allow it to come up in web searches. That could be useful, even if it is more "explained" than "solved."
Was this helpful to you? 1
Quote

Question owner

Odd that open support forum "questions" aren't allowed in web searches; when I was Googling about this problem, I didn't look very hard at "Solved" results from this forum, assuming "Solved" meant "Fixed."

It does show up through searches of the support forum, at least. And there it says "1 person has this problem," which makes me lean toward wanting to leave it open.

I don't suppose it will automagically be marked as Solved when the Bugzilla entry is marked as fixed?

Odd that open support forum "questions" aren't allowed in web searches; when I was Googling about this problem, I didn't look very hard at "Solved" results from this forum, assuming "Solved" meant "Fixed." It does show up through searches of the support forum, at least. And there it says "1 person has this problem," which makes me lean toward wanting to leave it open. I don't suppose it will automagically be marked as Solved when the Bugzilla entry is marked as fixed?
Was this helpful to you?
Quote

Question owner

(I suppose if I actually phrase this entry's title as a "Question" as the forum puts it, that question could be considered solved; but when I go to edit the title, the help box that appears gives examples that *are* phrased as problems rather than questions, and refers to what to put in there as "the problem."

I guess this is the case of the original "Question" software sort of being used for a different purpose--a support forum that may deal with software bugs--than it was originally designed for.)

(I suppose if I actually phrase this entry's title as a "Question" as the forum puts it, that question could be considered solved; but when I go to edit the title, the help box that appears gives examples that *are* phrased as problems rather than questions, and refers to what to put in there as "the problem." I guess this is the case of the original "Question" software sort of being used for a different purpose--a support forum that may deal with software bugs--than it was originally designed for.)
Was this helpful to you?
Quote
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.