Bug Bites
-
Two navigation bars? That's a new one for me
Filed Under:
-
One thread that I've read and participated in recently, just jellypotatoed my "last read post" to last year during the Lubaring
-
How about a thread like the other "Bites" threads where we can put minor bugs or weird behaviour that might not otherwise deserve a thread? Maybe it's a dumb idea. Maybe the pun in the title is dumb too. :who_nose:
Anyway the thing that prompted me to make the thread is that I noticed when upvoting posts, the number wasn't getting updated. This is clearly a showstopper, making the forum literally unusable.
I've seen this bug too and it has slowed my post rate to observable levels.
-
One thread that I've read and participated in recently, just jellypotatoed my "last read post" to last year during the Lubaring
There might be some progress on the overall jellypotatoe struggle.
-
@boomzilla said in Bug Bites:
There might be some progress on the overall jellypotatoe struggle.
If we ever update
-
@loopback0 said in Bug Bites:
@boomzilla said in Bug Bites:
There might be some progress on the overall jellypotatoe struggle.
If we ever update
I for one look forward to 57th Nevervember and the forum working properly
-
@loopback0 said in Bug Bites:
@boomzilla said in Bug Bites:
There might be some progress on the overall jellypotatoe struggle.
If we ever update
I for one look forward to 57th Nevervember and the forum working properly
I said if we ever updated, not if the forum ever worked properly
-
@loopback0 said in Bug Bites:
@loopback0 said in Bug Bites:
@boomzilla said in Bug Bites:
There might be some progress on the overall jellypotatoe struggle.
If we ever update
I for one look forward to 57th Nevervember and the forum working properly
I said if we ever updated, not if the forum ever worked properly
This forum can never work properly; we're here.
-
Status: I have managed to cause the floating chat window (on Desktop) to go above the viewport, and thus I cannot move it back down or properly close it.
Hoo ray.
-
@Tsaukpaetra said in Bug Bites:
Status: I have managed to cause the floating chat window (on Desktop) to go above the viewport, and thus I cannot move it back down or properly close it.
Hoo ray.
Can you force reposition from the JS console?
-
@Tsaukpaetra said in Bug Bites:
Status: I have managed to cause the floating chat window (on Desktop) to go above the viewport, and thus I cannot move it back down or properly close it.
Hoo ray.
Can you force reposition from the JS console?
I'm not that invested. I just fiddled with it, managed to create the window again, and then it made itself centered so all is well again.
-
@Tsaukpaetra said in Bug Bites:
I have managed to
cause the floating chat window (on Desktop) to go above the viewport,break software in a way it hasn't been broken before
-
These are the voyages of @Tsaukpaetra. His continuing mission: to boldly break what no one has broken before.
-
When I have the composer open and "maximized", then switch tabs
to steal memes from Google image searchand come back, sometimes the composer is no longer maximized. It still thinks it is, because the button has the "restore" shape instead of the "maximize" one, and I have to click it twice to get it back to maximized, but the actual composer window is back to normal size.I don't even know how/why it's possible for JS to detect that I'm switching tabs, probably some rogue Google "standard" so they can stop YouTube while you're not watching ads.
-
I don't even know how/why it's possible for JS to detect that I'm switching tabs, probably some rogue Google "standard" so they can stop YouTube while you're not watching ads.
It's a perfectly cromulent feature:
-
I don't even know how/why it's possible for JS to detect that I'm switching tabs, probably some rogue Google "standard" so they can stop YouTube while you're not watching ads.
It's a perfectly cromulent feature:
This event fires with a visibilityState of hidden when a user navigates to a new page, switches tabs, closes the tab, minimizes or closes the browser, or, on mobile, switches from the browser to a different app.
I see. So without that feature, my phone could play youtube in the background. Knew it was a rogue feature.
-
@topspin IME, youtube does keep playing in the background when you switch tabs. Twitter doesn't, you have to keep the tab open in its own window if you want to do anything else. Or at least that's the way it was last time I paid attention to it. The situation may have changed, and on mobile it may be Different™
-
@topspin IME, youtube does keep playing in the background when you switch tabs. Twitter doesn't, you have to keep the tab open in its own window if you want to do anything else. Or at least that's the way it was last time I paid attention to it. The situation may have changed, and on mobile it may be Different™
Though if you're
a freeloading moochnot a paying customer, YouTube will periodically pause your music with a "are you still there?!?!?" dialog box, more frequently if the tab in question isn't active & on screen
-
@topspin IME, youtube does keep playing in the background when you switch tabs. Twitter doesn't, you have to keep the tab open in its own window if you want to do anything else. Or at least that's the way it was last time I paid attention to it. The situation may have changed, and on mobile it may be Different™
Though if you're
a freeloading moochnot a paying customer, YouTube will periodically pause your music with a "are you still there?!?!?" dialog box, more frequently if the tab in question isn't active & on screenI don't recall seeing that, but I also don't usually leave Youtube playing in the background for extended periods of time.
-
@topspin IME, youtube does keep playing in the background when you switch tabs. Twitter doesn't, you have to keep the tab open in its own window if you want to do anything else. Or at least that's the way it was last time I paid attention to it. The situation may have changed, and on mobile it may be Different™
Though if you're
a freeloading moochnot a paying customer, YouTube will periodically pause your music with a "are you still there?!?!?" dialog box, more frequently if the tab in question isn't active & on screenI don't recall seeing that, but I also don't usually leave Youtube playing in the background for extended periods of time.
It looks like this:
and appears after approximately 2.3 hours of non-interaction. Usually easier to trigger with playlists than long videos, though if you have Autoplay on it does it too.
-
@topspin IME, youtube does keep playing in the background when you switch tabs. Twitter doesn't, you have to keep the tab open in its own window if you want to do anything else. Or at least that's the way it was last time I paid attention to it. The situation may have changed, and on mobile it may be Different™
Though if you're
a freeloading moochnot a paying customer, YouTube will periodically pause your music with a "are you still there?!?!?" dialog box, more frequently if the tab in question isn't active & on screenI don't recall seeing that, but I also don't usually leave Youtube playing in the background for extended periods of time.
I don't usually leave YouTube playing in the background, but I usually have multiple tabs paused in the background. One of those will occasionally tell me it's paused and ask if I'm still there. Given that it was already paused, that seems rather pointless.
-
only has one wheel. I was looking for a unicycle, tho. Do not fix as user applications depend on this behavior.
-
-
You could say is @Gribnit necromancing all those ancient threads, but the half-assed Portuguese forum translation that keeps saying "ha 5 anos later" when he does is , too.
I was going to bitch about it earlier but I keep getting
403 Forbidden
when trying to upload a picture. Now I have a really interesting one to upload where the Random But Not Dumb Videos thread has entered Groundhog Day and is looping back onto itself, but it's still 403s all the way down.
-
@LaoC I get "session is out of sync" or something on mobile sometimes. Refreshing the browser generally fixes that but it sounds like this is something different.
What, exactly are you trying to upload?
-
@boomzilla said in Bug Bites:
@LaoC I get "session is out of sync" or something on mobile sometimes. Refreshing the browser generally fixes that but it sounds like this is something different.
What, exactly are you trying to upload?
A screenshot. Tried both jpg and png with either original name or something extremely simple like 123.jpg that can't have any charset problems.
-
@LaoC hmmm....seeing some of this in the logs:
2022-09-05T15:16:40.341Z [4567/167] - error: /api/post/upload invalid csrf token 2022-09-05T15:17:41.145Z [4567/167] - error: /api/post/upload invalid csrf token
-
@LaoC also, looking in the nginx logs, your failed requests look the same as mine (had one a little while ago).
-
Hmm OK. Now it works. I had just opened the thread from the category overview so I don't know how an invalid CSRF token could have been created (not like the window had been sitting there for a long time) but 's ways are mysterious.
I couldn't get the screenshot any better; you can just barely read the cut-off text, the next post after the one from 4min ago is from 2017, and there are multiple 2017 posts below it.
Of course it's not reproducible on the desktop …
-
@LaoC yeah, some kind of mobile only thing.
Have you tried
turning it off and on againreloading the page?
-
@boomzilla said in Bug Bites:
@LaoC yeah, some kind of mobile only thing.
Have you tried
turning it off and on againreloading the page?Where's the fun in that?
-
Unable to throw rotten fruit at people found trolling in help topics. Thread appears inadvertently locked.
-
: - Something, presumed CSRF protection, prevents logout from stale menus reached by the back button.
Does anything allow scoping a nonce?
-
@Gribnit Do you want a repeat of the "viewing this thread logs you out" attacks? Because that's how you get "viewing this thread logs you out" attacks.
-
@TwelveBaud said in Bug Bites:
@Gribnit Do you want a repeat of the "viewing this thread logs you out" attacks? Because that's how you get "viewing this thread logs you out" attacks.
Eh, sounds like someone else's problem.
-
@TwelveBaud why is logout, a non idempotent action, triggerable by a GET?
-
@Arantor a question you could ask a CommunityServer dev if you could find one.
-
logout, a non idempotent action
Does it check, and fail, to log out if not logged in first?
-
Okay, I guess technically you shouldn't be able to logout if you're not the person you claim to be.
-
logout, a non idempotent action
Does it check, and fail, to log out if not logged in first?
I have no idea what http GET is actually supposed to do, but "not idempotent" is not the correct wording to describe "logout".
Idempotent means doing something once is the same as doing it many times (x*x=x). That's not necessarily the same as doing it zero times.
My first thought was that what's meant is "nilpotent", but that is also mathematically incorrect, because that just means "doing it n times is the same as doing it zero times, for some n."1 I.e., flipping a switch or negation is nilpotent, as doing it twice is the same as not doing it at all. But that's also not what's meant here.
Wiktionary suggests the word "nullipotent", which would apparently mean what we want it to mean, but I've never heard before.Maybe just go with "side-effect free" instead.
1 Not sure if this isn't also technically true for idempotent, i.e. there only needs to be some n for which x^n = x, not necessarily n=2.
-
@topspin HTTP GET is notionally meant to be idempotent, as in, make the same request, get the same response (subject to caching and expiry rules which is covered in the spec as a variant on return because external factors have changed that you can't possibly know about)
The more... usual... interpretation (though less even in the spec) is that 'you shouldn't change application state via a GET'
-
@TwelveBaud why is logout, a non idempotent action, triggerable by a GET?
It's been a few years, so my memory is a bit fuzzy, but IIRC in CommunityServer logout was implemented by going to the page
https://forum.thedailywtf.com/logout
, or something like that. I suppose that page had some script that ran on load that invalidated your session token.Somebody discovered that you could put an image link in a post:
<img src="https://forum.thedailywtf.com/logout">
, and that would run the logout script. Everyone who read that post would be logged out, pissing off all but one forum user.
-
@HardwareGeek yeah, I saw a lot of systems do that back in the day. It's a fundamental class of vulnerability caused by making things GETable that shouldn't be GETable, though tokens/nonces/CSRF values/whatever fixes that too.
-
@HardwareGeek yeah, I saw a lot of systems do that back in the day. It's a fundamental class of vulnerability caused by making things GETable that shouldn't be GETable, though tokens/nonces/CSRF values/whatever fixes that too.
-
though tokens/nonces/CSRF values/whatever fixes that too.
For a definition of "fix". It prevents those attacks, but you can still be bitten by the effects of prefetching.
-
@Zerosquare which is why you make them fucking POSTs as Berners-Lee et al intended.
-
-
@HardwareGeek yeah, I saw a lot of systems do that back in the day. It's a fundamental class of vulnerability caused by making things GETable that shouldn't be GETable, though tokens/nonces/CSRF values/whatever fixes that too.
You can't fool me; I know the front page doesn't exist!
-
@HardwareGeek obligatory
-
@Arantor that's from 20 years ago! how has no-one noticed this?