Jump to content
Sign in to follow this  
Followers 15
Geocaching HQ

Release Notes (Website: User profiles) - November 8, 2018

Recommended Posts

Release Notes (Website: User profiles) - November 8, 2018
 
With today’s release, JavaScript no longer works on Geocaching user profile pages. This change was made to address GDPR (General Data Protection Regulation) and general security concerns.
 
For users who have added content to their profile page, we suggest checking to confirm it is still displaying as expected. We’re sorry for any disruption this change may cause.
 
Sean B. (bootron), Geocaching HQ’s Engineering Manager, is watching this thread to answer questions whenever possible.


Any posts in this thread should relate to features in this release. Comments unrelated to the release may be removed. Please direct unrelated comments to other appropriate threads. Thanks!

Share this post


Link to post
11 minutes ago, Geocaching HQ said:

This change was made to address GDPR (General Data Protection Regulation) and general security concerns.

The security concern does make sense and for that reason I'm not opposed to this change, but I can't figure out how GDPR applies. That regulation covers the processing of personal data, and I don't see how JavaScript is in any way related to that.

  • Upvote 4

Share this post


Link to post

Perfect, no more tab / maps switching on my public profile.

 

What's that got to do with GDPR or security...? :wacko:

  • Upvote 1

Share this post


Link to post

My guess is that this is related to GDPR since users can add tracking to their profile page. They still can, but it won't be javascript tracking anymore.
That is the only explanation I can think of. But this should mean that cache descriptions will change soon too.

  • Upvote 1
  • Helpful 1

Share this post


Link to post
38 minutes ago, Geocaching HQ said:

For users who have added content to their profile page, we suggest checking to confirm it is still displaying as expected.

The external links are just as broken as they were before this change.

 

Hint: Shift-Click should open the link in a new window, and Command-Click (or Control-Click) should open the link in a new tab.

Share this post


Link to post
11 minutes ago, thomfre said:

My guess is that this is related to GDPR since users can add tracking to their profile page. They still can, but it won't be javascript tracking anymore.
That is the only explanation I can think of.

That's possible. Thanks for the example.

 

Quote

But this should mean that cache descriptions will change soon too.

Why would they change? Descriptions have never allowed JavaScript.

Share this post


Link to post

Well, count me as one affected. hmph.

I liked the speed loading the profile page with static content, then loading an auto-updated optional large caching gsak stats page if the user wished, and not needing to regularly update the profile content.  Boo. Back to the more tedious basics.

 

Though I note now that the HREF properties are also stripped and replaced, so opening the link in a new tab doesn't work. We are forced to regular click the link and go through their intended link-visit process. That seems a little excessive. (hijacking basic browser behaviour is yuck; middle click should successfully open a link in a new tab, for instance)

Edited by thebruce0
  • Upvote 3

Share this post


Link to post
2 hours ago, The A-Team said:

The security concern does make sense and for that reason I'm not opposed to this change, but I can't figure out how GDPR applies. That regulation covers the processing of personal data, and I don't see how JavaScript is in any way related to that.

 

We have been making various changes to the website and mobile app in order to support GDPR issues and also PCI Compliance and general security concerns. This particular change is more about the latter two than it is about GDPR.

 

bootron

Share this post


Link to post
16 minutes ago, bootron said:

We have been making various changes to the website and mobile app in order to support GDPR issues and also PCI Compliance and general security concerns. This particular change is more about the latter two than it is about GDPR.

What was the reason for breaking the behavior of normal links?

Share this post


Link to post

OK, I'm confused.

 

How do I open the profile information I have added to my PROFILE?  Clicking on links doesn't work.

 

Also, since many challenge caches require you to have your stats on your profile for ease of checking for qualifications, what happens to all these caches?  How do they access it?  Seems like someone has opened a great big can of worms and has no idea of how to get them back in!  Right up there with the NEW AND IMPROVED cache location map page - it stinks!

 

Share this post


Link to post

I´m not good in such things, but is that why my banners and country flags are not shown anymore in my profile?

 

And if so, how to restore it?

Share this post


Link to post

Can you please restore outbound links? I see the need for blocking javascript, but links shouldn't be any problem.

Can you please make links open the normal way, so it doesn't trigger popup blocking...

Edited by thomfre
  • Upvote 4

Share this post


Link to post
1 hour ago, DragonSoldier45 said:

Also, since many challenge caches require you to have your stats on your profile for ease of checking for qualifications, what happens to all these caches?  How do they access it?  Seems like someone has opened a great big can of worms and has no idea of how to get them back in!  Right up there with the NEW AND IMPROVED cache location map page - it stinks!

Challenge caches that require "stats on your profile" usually mean that you have not chosen to hide statistics on the "Statistics" tab of your profile.  The change announced in the topic does not change anything in that Statistics tab.

 

I haven't seen a challenge cache that requires finders to put their statistics in the "About" tab of their profile, which is what this topic affects.  Would be interested to see one.

  • Upvote 3

Share this post


Link to post

Why is GDPR used as an excuse for some of the changes? It seems someone needs to read up on what GDPR really is about. :rolleyes:

 

  • Upvote 4

Share this post


Link to post

@bootron

 

I appreciate that these changes were required due to security and compliance issues. However, a lot of people liked having more detailed statistics than those supplied by geocaching.com in their profile and used GSAK+FSG or project-gc to generate those. Both sources created cool looking, well structured statistics pages by making use of "click" events and "show"/"hide" features of javascript/html. All of this no longer works. While I can see that some features of javascript were an issue, I don't see how the click/show/hide features could be a security/compliance risk.

 

Is there any chance to just bring a subset of supported features back that would allow those cool statistics pages to keep working without opening the page up to security/compliance issues? This would be similar to the cache listings only supporting a subset of available html tags...

  • Upvote 5

Share this post


Link to post
1 hour ago, noncentric said:

I haven't seen a challenge cache that requires finders to put their statistics in the "About" tab of their profile, which is what this topic affects.  Would be interested to see one.

I think it wouldn´t be publishable, since I don´t see a way to chellange check it.

Share this post


Link to post
27 minutes ago, DerDiedler said:
1 hour ago, noncentric said:

I haven't seen a challenge cache that requires finders to put their statistics in the "About" tab of their profile, which is what this topic affects.  Would be interested to see one.

I think it wouldn´t be publishable, since I don´t see a way to chellange check it.

A bit off-topic, but pre-moratorium challenge caches didn't require a challenge checker.  But my point in my post is that I don't think there are any such challenges that require info be in the About tab, but if there are any (as DragonSoldier45 suggests there are) then I'd be interested to see them.

  • Upvote 1

Share this post


Link to post

Am I dreaming or has this change also caused giant fonts to appear on some data e.g. My GSAK generated static profile now looks hideous on a PC.  Maybe this was an earlier change  and I just failed to notice. 

 

BTW Mentioning Javascipt and GDPR in the same sentence is just so misleading. I think you should update everything here to remove GDPR to reinforce that javascript is security related and nothing whatsover to do with GDPR.

Edited by lodgebarn
  • Upvote 3

Share this post


Link to post

In fact worse seems to be happening. None of the cache links on my profile work now. Of course if I open my profile page rendered from another web server all links work as before and the page displays correctly. This is not just javascript being blocked it is a wholesale massacre. Is it possible style tags have been affected as well somehow?

Edited by lodgebarn

Share this post


Link to post
13 minutes ago, lodgebarn said:

None of the cache links on my profile work now.

Are you sure it's not just your browser blocking popups? That was the case on my profile...

Share this post


Link to post

This step affects thousands of geocaches who have their statistics in the profile. Although they can still upload them there, most of the improvements they've been working on for years have stopped working. It is not even possible to switch between different statistics sections, so there is a risk of returning to the old way, when everything was on a very long page. Additionally, some statistics generators are no longer supported by their creators, and this means a lot of work on switching to another system.

  • Upvote 1
  • Helpful 1

Share this post


Link to post
5 hours ago, Arne1 said:

This step affects thousands of geocaches who have their statistics in the profile. Although they can still upload them there, most of the improvements they've been working on for years have stopped working. It is not even possible to switch between different statistics sections, so there is a risk of returning to the old way, when everything was on a very long page. Additionally, some statistics generators are no longer supported by their creators, and this means a lot of work on switching to another system.

This might be a good time to mention the idea of a user-editable statistics page, which has been suggested before. That way these custom stats that form a very long page could go on the user-editable statistics page, and would hit only the people who actually clicked on that page.

Share this post


Link to post

Regardless of whether any part of this change will be reverted even temporarily, yet again we have a significant change that came without warning that's affecting a large portion of the community (whether they know yet or not).  Without warning.   If there was a notice made even as soon as a week beforehand, there would have been time for people to make changes to their custom About page, and for devs of third party HTML source code to adjust how they're created to work with the new script-sanitized environment (and notify their users).

 

There's a whole lot of public unexpected achy breaky going on, and it's not reflecting well on the promise to "make better mistakes tomorrow".... :(

Edited by thebruce0

Share this post


Link to post

We are non techies so how do we restore our Earthcache bronze, silver, gold and platinum banners for starters or are destined to have an almost blank profile with only the default text visible?

Share this post


Link to post
49 minutes ago, me N u said:

We are non techies so how do we restore our Earthcache bronze, silver, gold and platinum banners for starters or are destined to have an almost blank profile with only the default text visible?

 

Hi me N u,

if I look at your profile I do see some Earth Cache banners and some statistics?

menu.png

Share this post


Link to post

It seems they changed it back or did something else. My Profile Information looks like normal again. No more broken banner or country flags.

Share this post


Link to post
13 hours ago, thomfre said:

Can you please restore outbound links? I see the need for blocking javascript, but links shouldn't be any problem.

Can you please make links open the normal way, so it doesn't trigger popup blocking...

 

We are looking into a fix for the links so they will behave more like standard html links.

  • Upvote 1

Share this post


Link to post
11 hours ago, sbeelis said:

@bootron

 

I appreciate that these changes were required due to security and compliance issues. However, a lot of people liked having more detailed statistics than those supplied by geocaching.com in their profile and used GSAK+FSG or project-gc to generate those. Both sources created cool looking, well structured statistics pages by making use of "click" events and "show"/"hide" features of javascript/html. All of this no longer works. While I can see that some features of javascript were an issue, I don't see how the click/show/hide features could be a security/compliance risk.

 

Is there any chance to just bring a subset of supported features back that would allow those cool statistics pages to keep working without opening the page up to security/compliance issues? This would be similar to the cache listings only supporting a subset of available html tags...

 

We do not have any plans to open up the ability to use a subset of javascript at this time. 

 

  • Upvote 1
  • Surprised 3
  • Helpful 1

Share this post


Link to post
3 hours ago, thebruce0 said:

Regardless of whether any part of this change will be reverted even temporarily, yet again we have a significant change that came without warning that's affecting a large portion of the community (whether they know yet or not).  Without warning.   If there was a notice made even as soon as a week beforehand, there would have been time for people to make changes to their custom About page, and for devs of third party HTML source code to adjust how they're created to work with the new script-sanitized environment (and notify their users).

 

There's a whole lot of public unexpected achy breaky going on, and it's not reflecting well on the promise to "make better mistakes tomorrow".... :(

 

The most widely-used third party providers were given several weeks of notice. We made the decision internally to do standard release notes for this release since people can make the changes to their own profile at any time going forward. 

Share this post


Link to post
2 minutes ago, bootron said:

The most widely-used third party providers were given several weeks of notice.

 

Yes, it was communicated in the GSAK forums. However, the GSAK people were told this change would be rolled out to the staging servers and could be tested there. Several people (me one of them) ran tests with our profiles on both staging servers and our profiles still worked, so we assumed the change would not kill the profiles generated by FSG. Today, when it went live, everyone there was totally surprised (and not pleasantly, at that).

 

I don't know why we were told that this change could be tested on staging when in fact it was apparently not rolled out there....

  • Upvote 1
  • Helpful 3

Share this post


Link to post
13 minutes ago, bootron said:

We do not have any plans to open up the ability to use a subset of javascript at this time.

 

Thanks for your reply (even if it is not what I had hoped for).

  • Helpful 1

Share this post


Link to post
16 minutes ago, bootron said:

We made the decision internally to do standard release notes for this release since people can make the changes to their own profile at any time going forward. 

 

Not sure why it couldn't have been announced beforehand so that people would have time to make updates pre-breakage, instead of needlessly after unexpected breaking. I wouldn't be against the move to strip script from the custom About content (I reported and demonstrated long ago how the allowed scripting could be abused to spoof people and serve potentially malicious content but heard nothing back). So a pre-announcement might get some pushback, but I'd have been in support of the change for security reasons, and feel it's reasonable. But the hold on the announcement and spontaneous breaking of profile content caused more public angst than indeed necessary.

I was going to comment on the 3rd party folks being informed ahead of time as a good thing, but then sbeelis inserted another bump in that road... :unsure:

Edited by thebruce0
  • Helpful 1

Share this post


Link to post

Yes, I'm affected to. :(

I have a map of countries I've found caches, A mouse over zoomed in to Europe (many small countries) Mouse over the list of countries showed the individual countries with the regions I've found caches in.

I've also splitted the matrix and calendar statistics into cache types. (Got the matrix for 5 different types, working on the sixth) Clicking in the left corner switched between them.

I also had the banners collapsed an expanded via a mouse over.

 

I was able to get a lot of statistics into a relative small area because of these tactics. Do you expect me to expand all this statistics by default? Very ugly in my opionio, or are there techniques I'm able to collapse data without the use of javascript (css comes to mind, but when I tried to use that, I discovered It's also removed) 

 

By the way, because the font size definitions are now also ignored in tables, the last days of the month are not visible anymore.

 

To quote your president: "Very sad"

Share this post


Link to post

We generally do not warn users before we make security-related updates. In this case, we looked at the changes resulting from the updates and felt that the most important parts of the profile features were still working, and the remaining features could be updated over time.

Share this post


Link to post

Would you please put the date in the subject line of this thread? That's very helpful to me when looking at active threads. :)

  • Upvote 2

Share this post


Link to post
4 hours ago, Frau Potter said:

We generally do not warn users before we make security-related updates. In this case, we looked at the changes resulting from the updates and felt that the most important parts of the profile features were still working, and the remaining features could be updated over time.

This is a major change to how this functionality operates, why would you not tell people in advance? Sure some html is still displayed but that means nothing when the technical features that support the display have been fundamentally modified. Please tell me how table font size relates to security for instance? Is it not more likely that the development team did not really share the full impact of what they have perpetrated with the folks making the high level decisions?

Edited by lodgebarn
  • Helpful 1

Share this post


Link to post
14 hours ago, fraggle_[DE] said:

 

Hi me N u,

if I look at your profile I do see some Earth Cache banners and some statistics?

menu.png

 

and yet when we view our own profile no user generated content is displayed, same on old and new dashboards!

Share this post


Link to post
27 minutes ago, me N u said:

 

and yet when we view our own profile no user generated content is displayed, same on old and new dashboards!

What browser and OS are you using?  I can see your content, as in the image in the above post, in both 'old' and 'new' Profile views using Firefox 63.0.1

 

Share this post


Link to post
23 minutes ago, noncentric said:

What browser and OS are you using?  I can see your content, as in the image in the above post, in both 'old' and 'new' Profile views using Firefox 63.0.1

 

 

You beat us to it - the user content is NOT visible when viewing using IE11 but IS visible when using chrome - go figure.

Share this post


Link to post

The links on my profile page no longer work, I haven't used anything fancy like javascript, just straight links to other pages.

Clicking on any link just reloads my profile page.

When I 'hover' over a link, I see the expected URL has been replaced with a long random-looking URL on the geocaching.com site with the text "link:undefined" somewhere in the middle of it.

  • Upvote 1

Share this post


Link to post

I'm not going to reply now, because if I say what I  think, it will lead to a ban.

Not happy.

  • Upvote 5
  • Helpful 1
  • Love 1

Share this post


Link to post
2 minutes ago, alan666notb said:

The links on my profile page no longer work, I haven't used anything fancy like javascript, just straight links to other pages.

Clicking on any link just reloads my profile page.

When I 'hover' over a link, I see the expected URL has been replaced with a long random-looking URL on the geocaching.com site with the text "link:undefined" somewhere in the middle of it.

 

The silly/stupid part of this is that links to cachelistings on GC itself are changed in the same way. Probably for "security reasons" or "GDPR" (OK, I understand that links to cachepages are a security risk :rolleyes: ).

 

  • Upvote 1

Share this post


Link to post
1 hour ago, Gill & Tony said:

I'm not going to reply now, because if I say what I  think, it will lead to a ban.

Not happy.

An extra fat +1

  • Upvote 1

Share this post


Link to post
1 hour ago, Gill & Tony said:

I'm not going to reply now, because if I say what I  think, it will lead to a ban.

 

Banning people for speaking their minds is a sign of weakness and/or lack of arguments.

 

There, I said it... :ph34r:

 

  • Upvote 1

Share this post


Link to post
8 hours ago, me N u said:

 

You beat us to it - the user content is NOT visible when viewing using IE11 but IS visible when using chrome - go figure.

Yep, no matter what type of content (HTML or plain text) nothing is display using IE. 

Share this post


Link to post
On 11/8/2018 at 11:26 PM, The A-Team said:

The security concern does make sense and for that reason I'm not opposed to this change, but I can't figure out how GDPR applies. That regulation covers the processing of personal data, and I don't see how JavaScript is in any way related to that.

 

GDPR requires to report about data security breaches and this may be one of the kind.

Share this post


Link to post
10 hours ago, alan666notb said:

The links on my profile page no longer work, I haven't used anything fancy like javascript, just straight links to other pages.

Clicking on any link just reloads my profile page.

When I 'hover' over a link, I see the expected URL has been replaced with a long random-looking URL on the geocaching.com site with the text "link:undefined" somewhere in the middle of it.

What browser are you using?

Using Firefox 63.0.1, I can click on the "SideTracked" or "Church" images on your profile and it takes me to a cache page about the SideTracked Series or the Church Micro Series, respectively.  When I click in Firefox, then I get a pop-up box saying "Hey wait! You’re about to leave Geocaching.com. Are you sure you want to do that?" and if I click "Yes" then it takes me to that page you are linking to.  I suspect that the browser you are using is blocking the link and/or the pop-up box?

Share this post


Link to post
2 hours ago, arisoft said:

 

GDPR requires to report about data security breaches and this may be one of the kind.

Not really it is about data stored and managed by Groundspeak not what you have on your computer.

Share this post


Link to post

Can anyone explain to me why European law applies in the US or any other non-European country?  I mean, if an EU citizen chooses to visit the US physically, they are subject to US law.  Why is it different if they choose to visit virtually?

  • Upvote 2

Share this post


Link to post
11 hours ago, on4bam said:

 

Banning people for speaking their minds is a sign of weakness and/or lack of arguments.

 

There, I said it... :ph34r:

 

It was not the speaking my mind which would have been the problem, rather the language with which I was tempted to express those thoughts.  I still haven't calmed down.

  • Upvote 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 15

×