Follow

Chrome is now completely choking on downloads from files.scene.org.

Some investigation reveals that files.scene.org is in https, but every mirror it serves is insecure http/ftp so Chrome screams about bloody murder and mixed content, which is now blocked by default instead of just complaining. Perhaps its time to push all the scene.org mirrors over to https?

Also, disabling this flag chrome://flags/#treat-unsafe-downloads-as-active-content will restore functionality for now

.org

ยท ยท Web ยท 2 ยท 2 ยท 1

@espen I've noticed this on various websites for a while now, as I generally run the dev channel. I try to report it straight to the devs of the websites where there's an easy way of contacting, but for several its out of their reach (for instance because they rely on a CDN or other third-party host sponsor, which isn't offering https still), or they don't consider it an issue yet because "it's just on dev channel".

Copying link and paste & go straight in address bar usually works as workaround

@espen thanks for the flag though! Hadn't spotted that one yet, and didn't see it in the #MixedContent warning in the console.

I do wish the browser wouldn't silently block the download though (which it does in dev), and only warn in the inspector console. The old behaviour of giving an 'unsafe download' warning in the status bar, which you could override, was much more user friendly imho.

@FiXato Yeah, I'm on Chrome 87 which is out not too long ago. But yeah, I have seen the warnings for a while and assumed it was "here be weird code and packers and whatnot" but then suddenly nothing, no warning, no download, no nothing, so it's definately an issue.

@espen @FiXato also chrome regularly flags scene.org as 'malware' because the files are crunched.

(This also affects firefox, so...)

Bottom line: it's becoming more difficult to have an archive of demoscene material that is available to all sceners, because certain companies want to control all content, and we're DEFINATELY outside their standard use case. Old machines? no, buy an android device, we don't support old machines. Crunched files? No, that is malware, or could be, we can't check, and we don't trust YOU, you should totally trust US though!

You could see it as an issue because your preferred browser is giving you fits, or you could just... use one of the methods that works. FTP still works, so do simple http browsers like lynx / elinks / dillo . It's not that it's NOT available, it's that it IS available. To all. Just... your method is trying to limit.

I'd like to see gopher and gemini versions added, though (:

@Truck

I agree that it is becoming more difficult and problems likes company so there could be multiple things going on to complicate things further.

However, I think it is definately the case that Chrome's current problem is that files.scene.org is serving mixed content, with an https site giving out http downloads. As far as I can tell, the Chrome team has been working on this for most of the year, starting with a soft warning for every type of web content in the beginning of the year and gradually transitioning to a hard block of the content. It is scheduled to be complete in early 2021, where all "mixed" content from a website is simply ignored, be it files, images, what have you. So we got a release or two of Chrome yet before all the screws have been securely tightened.

Now, like you said, it still works and you can always use another browser, but I think step one is at least acknowledging the issue and proceeding to debate if slapping a "WontFix" on it problem is the proper solution. I'd personally https/ftps-ify the downloads which hopefully wouldn't be too much effort and would clear the current hurdle. And to be fair, removing http/ftp downloads altogether and going gopher-only for instance would probably also technically fix the problem.

But this is just my two cents.

@FiXato

@espen @FiXato but it isn't 'serving mixed content.'

It's a link, following a link with a stated protocol should not trigger 'mixed content.'

Unless I am misunderstanding which page you are on.

@Truck
I can't speak for scene.org, but some sites downgrade a connection by 30x redirecting a httpS download link to a plain http one, which theoretically could be an issue as it then becomes more susceptible to MITM attacks and messes with user expectations. In such cases I do think a browser should do something to protect the user, though imho a warning before downloading would suffice.
@espen

@Truck @FiXato

FIXato is correct, the issue is redirection. But to give an actual example, if you for the sake of argument visit this link: files.scene.org/view/demos/gro

And try to download the zip-file, nothing happens, until you check the dev-console where I get this error (and it is now an error instead if just an "insecure warning):
Mixed Content: The site at 'files.scene.org/' was loaded over a secure connection, but the file at 'http.no.scene.org/scene.org/de' was redirected through an insecure connection. This file should be served over HTTPS. This download has been blocked. See blog.chromium.org/2020/02/prot for more details.

@espen @FiXato

Ok, that's a change in the way browsers work, which ... quite frankly I disagree with.

Anyway the bottom line here: Those files are NOT served over https, because they are on http links, served by people providing storage and bandwidth for free.

Google operates on the concept that everyone is going to pay for the net, likely via advertising, and that advertising comes back to them. We're outside that spectrum.

But just like how the ftp links don't work at _all_ in firefox (and likely chrome) despite the files being accessable to people via ftp, and ftp:// being a _valid_ url scheme, one could say "well those links should be changed!"

That's something that likely can't be done easily, or at no cost, and - as these are being served _at no cost_ ...

of course, one could then say "well we should put advertising links on there to pay for that"
- "not just no, HELL no":
- those few clicks are NOT going to pay an admin's salary

@espen @FiXato that said: putting an icon next to the https links (link? I think only one is https...) would solve this for users. You'd know it was https.

And probably not hard for someone to do to the (probably) php code. Maybe mail gargaj? He may be able to do that.

(I have nothing to do with scene.org servers - the main one I believe is at Redhound's university; Gargaj does most of the coding, I think, for these things. )

@espen Yeah, that's not going to happen (the https part.)

While 'modern' computers can download https, many of the people accessing scene.org are doing so from older computers that can't do https without additional workarounds, or even additional hardware.

That's a major reason why the http and ftp links will stay, and be the default.

Sign in to participate in the conversation

Hometown is adapted from Mastodon, a decentralized social network with no ads, no corporate surveillance, and ethical design.