[X] My Assistant

So for the last week or so, it seems to take 25-30 seconds for an image in the gallery to actually load. I can confirm its not my connection, as my mobile can load the images fine. Just seems to be something with firefox.

Was anything changed recently internally?

im on firefox and i noticed that after firefox updated the other day that images take a long time to load as well. i think it has something to do with the security settings cause i get this on some manga sites as well. next to the web url, do you see a lock icon? does it turn yellow when you try to load an image on the gallery? if so then you and i are suffering from the same issue

Yes, it broke on FF51 beta 1 for me. Happens on a fresh install with no addins etc. I'd guess some javascript need changing but it's beyond me to find what.

Right clicking the place holder and going "View Image" works as a kind of work around as it loads instantly but might be best to go back to FF50 or use another browser for galleries for the moment.

This post has been edited by giovan: Jan 26 2017, 01:24

Check the ongoing discussion of HSTS prinning.

If you're using Firefox, try disabling HSTS Priming (about:config > search security.mixed_content.send_hsts_priming > set it to false)

It made it into the stable version, unfortunately.

As by now, the only way to work around HSTS Priming, is to either enable the H@H clients to properly respond to the HSTS Priming request (which requires a slightly more robust implementation of the request parser in order not to get stuck on an attempted TSL handshake!), or to mask the IP addresses by subdomains which you can then explicitly exclude from HSTS.

Well, the latter one would also be prerequisite for eventually rolling out IPv6 / dual stack.

And what do I mean by "more robust"? You know exactly...

The culprit is the use of BufferedReader::readLine() in HTTPSession.java which does NOT return until either the socket is closed or a new line character appears. So the TLS handshake only fails when the timeout eventually kills the worker thread and the socket is closed.

You need to validate per regex from the ***first*** received byte onwards, whether it can still become a valid, plain HTTP request, and immediately close the socket when you receive the first wrong byte.

That means if the first received character isn't either "G" or "H", it's already not an HTTP request.

Esiest done by using the regex which is already in there, and then use [docs.oracle.com] Matcher::hitEnd() to verify whether the string *could* match if more characters are added, even when it doesn't yet. And the run the regex every time the socket runs empty. Do NOT use a BuffereReader.

@ehentai: The problem with @Firefox 51 is that it violates RFC2616/7230 by sending a binary request to sockets that expect a plaintext request.
@ehentai: The standard specifies that a client MUST NOT generate protocol elements not allowed by the standard, which @Firefox 51 does.
@ehentai: As such @Firefox 51 is a broken release that should never have been, and whoever greenlit HSTS priming in the current state should be fired.

The tl;dr version is Firefox is slowly (but surely) becoming shit and getting dangerously close to Safari - and soon... Internet Explorer.

Firefox 51 is another catastrophe. Amending the wiki to let people know Firefox is shit, even the stable version, as it fails to respect PROTOCOL COMPLIANCE 101.

This post has been edited by Luna_Flina: Jan 26 2017, 22:21

I noticed on my firefox that the picture won't load, but as soon as I hit the " Click here if the image fails loading" the image will load like normal, but having to do this on each page is annoying

I noticed on my firefox that the picture won't load, but as soon as I hit the " Click here if the image fails loading" the image will load like normal, but having to do this on each page is annoying

If you cannot read the post above you I'll simply delete your post next time and completely ignore it.

Update Firefox

Head over to E-hentai

Read news


DAMIT.

(might be able to roll back from a backup)

Using FF. Updated broke my My Highlighter script (the unnecessary part of what I posted if you don't need more tags).


Fixed. Use https://e-hentai.org/api.php (IMG:[invalid] style_emoticons/default/smile.gif)

This post has been edited by Simpleton8: Jan 27 2017, 07:03

TEXT

If I make this change, what happens to Firefox in terms of security? I use a few addons to make it extremely secure, but I dont know about the config change.

If you want security updates but not the latest "features", you can use the [en.wikipedia.org] Extended Support Release, which is currently at version 45.7.0.

Necromusume's recommendation sounds like a good idea if you do not wish to change browsers. I believe 45.7.0 has most of the "crucial" features.

EDIT: Mixed up ESR and "stable". Thanks for the fix - brain farted.

This post has been edited by Luna_Flina: Jan 27 2017, 13:38

I really don't advise using an old version of a web browser. They're loaded with [www.mozilla.org] severe vulnerabilities that have been publicly disclosed and that everyone everywhere is trying to exploit to break into your computer. Mozilla do NOT backport those fixes to old versions, except for the latest version of the extended support release. Even if you only intend to use an old browser on one site, it's easy to forget. And if there's a bug allowing someone to break in via crafted image files? You are expecting that the galleries will detect every possible case of that, and presumably don't use the same browser on the forum... right?

That's part of the problem with the direction Firefox is going. Even if you want to stay on an old version, you can't.

"If you're using Firefox, try disabling HSTS Priming (about:config > search security.mixed_content.send_hsts_priming > set it to false)"

This worked for me just fine. But 1 question what does this option even do? Are there any dangers if I just deactivate it like that?

Should I re-enable it after the next FF update?

This post has been edited by Bonebuster: Jan 27 2017, 13:37

The really short and almost-too-oversimplified TL;DR version is:

• HSTS is a mechanism that a site can use to force browsers to always use HTTPS when interacting with it, even if the site could also be accessed via HTTP;
• When you're accessing a page over HTTPS, certain kinds of resources(*1) will automatically be blocked by the browser IF accessed via HTTP. This operation is commonly referred to as "mixed-content blocking".(*2)
  • Example: if you're visiting the page "https://somesecuresite.com" (via HTTPS) and the page links to a a script located on "http://somenonsecuresite.net/script.js" (via HTTP), the request will be blocked due to security issues.
• HSTS Priming is a mechanism (not part of HSTS) that the browser can use to try to avoid mixed-content blocking. The general idea is that the browser sends a special request (aka priming request) to the server to check if a resource that would have been blocked due to mixed-content policies could be accessed via HTTPS instead of HTTP. Once the server replies, the original request is either blocked (if the server says it can't serve it over HTTPS) or "upgraded" (if the server says it's okay to request it via HTTPS).(*3)

HSTS is not a problem and you should keep it enabled; HSTS Priming is currently broken and it should be disabled. There is no inherent security downgrade in keeping it disabled, the browser will just be more anal about accessing non-secured resources.

(*1) Scripts, XHR requests and iframes are the usual victims
(*2) Notice that images are not affected by this, as they are defined as "optionally-blockable" content and the decision whether to block them or not is left to the browser (and modern browsers never block them because it would be insane)
(*3) It's called HSTS Priming because it relies on the HSTS mechanism; the browser is basically trying to get the site that holds the resource to say whether it supports HSTS or not before requesting the resource

Stuff you can read if you're interested:

[developers.google.com] What Is Mixed Content?
[en.wikipedia.org] Wikipedia page for HSTS
[wicg.github.io] HSTS Priming's pseudo-RFC

alright, thx for the explanation. I think I got it now (IMG:[invalid] style_emoticons/default/wink.gif)

The tl;dr version is Firefox is slowly (but surely) becoming shit and getting dangerously close to Safari - and soon... Internet Explorer.

Firefox 51 is another catastrophe. Amending the wiki to let people know Firefox is shit, even the stable version, as it fails to respect PROTOCOL COMPLIANCE 101.

Firefox input. [qsurvey.mozilla.com] https://qsurvey.mozilla.com/s3/FirefoxInput/

Seriously, even the frowny/smiley faces are lame but there's a feedback window after that so everyone should tell them how they're starting to suck. We need FF to go back to the way it use to be, meaning not shitty and getting more and more broken with each update.

Check the ongoing discussion of HSTS prinning.

I feel like I'm just being stupid missing something obvious, but where exactly do I find the option to disable this. I get what I should do if I could just find where to start but can't seem to find anything called about:config in any firefox settings.

Open a new tab and type about:config in the location bar as the URL to go to. about: URLs are Firefox internal URLs.

Longer version: [kb.mozillazine.org] http://kb.mozillazine.org/About:config

This post has been edited by Necromusume: Jan 27 2017, 23:40

Open a new tab and type about:config in the location bar as the URL to go to. about: URLs are Firefox internal URLs.

Longer version: [kb.mozillazine.org] http://kb.mozillazine.org/About:config

Thanks, got it working now.