Jump to content

Release Notes (Website: User profiles) - November 8, 2018


Recommended Posts

Release Notes (Website: User profiles) - November 8, 2018
 
With today’s release, JavaScript no longer works on Geocaching user profile pages. This change was made to address GDPR (General Data Protection Regulation) and general security concerns.
 
For users who have added content to their profile page, we suggest checking to confirm it is still displaying as expected. We’re sorry for any disruption this change may cause.
 
Sean B. (bootron), Geocaching HQ’s Engineering Manager, is watching this thread to answer questions whenever possible.


Any posts in this thread should relate to features in this release. Comments unrelated to the release may be removed. Please direct unrelated comments to other appropriate threads. Thanks!

Link to comment
11 minutes ago, Geocaching HQ said:

This change was made to address GDPR (General Data Protection Regulation) and general security concerns.

The security concern does make sense and for that reason I'm not opposed to this change, but I can't figure out how GDPR applies. That regulation covers the processing of personal data, and I don't see how JavaScript is in any way related to that.

  • Upvote 4
Link to comment

My guess is that this is related to GDPR since users can add tracking to their profile page. They still can, but it won't be javascript tracking anymore.
That is the only explanation I can think of. But this should mean that cache descriptions will change soon too.

  • Upvote 1
  • Helpful 1
Link to comment
38 minutes ago, Geocaching HQ said:

For users who have added content to their profile page, we suggest checking to confirm it is still displaying as expected.

The external links are just as broken as they were before this change.

 

Hint: Shift-Click should open the link in a new window, and Command-Click (or Control-Click) should open the link in a new tab.

Link to comment
11 minutes ago, thomfre said:

My guess is that this is related to GDPR since users can add tracking to their profile page. They still can, but it won't be javascript tracking anymore.
That is the only explanation I can think of.

That's possible. Thanks for the example.

 

Quote

But this should mean that cache descriptions will change soon too.

Why would they change? Descriptions have never allowed JavaScript.

Link to comment

Well, count me as one affected. hmph.

I liked the speed loading the profile page with static content, then loading an auto-updated optional large caching gsak stats page if the user wished, and not needing to regularly update the profile content.  Boo. Back to the more tedious basics.

 

Though I note now that the HREF properties are also stripped and replaced, so opening the link in a new tab doesn't work. We are forced to regular click the link and go through their intended link-visit process. That seems a little excessive. (hijacking basic browser behaviour is yuck; middle click should successfully open a link in a new tab, for instance)

Edited by thebruce0
  • Upvote 3
Link to comment
2 hours ago, The A-Team said:

The security concern does make sense and for that reason I'm not opposed to this change, but I can't figure out how GDPR applies. That regulation covers the processing of personal data, and I don't see how JavaScript is in any way related to that.

 

We have been making various changes to the website and mobile app in order to support GDPR issues and also PCI Compliance and general security concerns. This particular change is more about the latter two than it is about GDPR.

 

bootron

Link to comment
16 minutes ago, bootron said:

We have been making various changes to the website and mobile app in order to support GDPR issues and also PCI Compliance and general security concerns. This particular change is more about the latter two than it is about GDPR.

What was the reason for breaking the behavior of normal links?

Link to comment

OK, I'm confused.

 

How do I open the profile information I have added to my PROFILE?  Clicking on links doesn't work.

 

Also, since many challenge caches require you to have your stats on your profile for ease of checking for qualifications, what happens to all these caches?  How do they access it?  Seems like someone has opened a great big can of worms and has no idea of how to get them back in!  Right up there with the NEW AND IMPROVED cache location map page - it stinks!

 

Link to comment
1 hour ago, DragonSoldier45 said:

Also, since many challenge caches require you to have your stats on your profile for ease of checking for qualifications, what happens to all these caches?  How do they access it?  Seems like someone has opened a great big can of worms and has no idea of how to get them back in!  Right up there with the NEW AND IMPROVED cache location map page - it stinks!

Challenge caches that require "stats on your profile" usually mean that you have not chosen to hide statistics on the "Statistics" tab of your profile.  The change announced in the topic does not change anything in that Statistics tab.

 

I haven't seen a challenge cache that requires finders to put their statistics in the "About" tab of their profile, which is what this topic affects.  Would be interested to see one.

  • Upvote 3
Link to comment

@bootron

 

I appreciate that these changes were required due to security and compliance issues. However, a lot of people liked having more detailed statistics than those supplied by geocaching.com in their profile and used GSAK+FSG or project-gc to generate those. Both sources created cool looking, well structured statistics pages by making use of "click" events and "show"/"hide" features of javascript/html. All of this no longer works. While I can see that some features of javascript were an issue, I don't see how the click/show/hide features could be a security/compliance risk.

 

Is there any chance to just bring a subset of supported features back that would allow those cool statistics pages to keep working without opening the page up to security/compliance issues? This would be similar to the cache listings only supporting a subset of available html tags...

  • Upvote 6
Link to comment
1 hour ago, noncentric said:

I haven't seen a challenge cache that requires finders to put their statistics in the "About" tab of their profile, which is what this topic affects.  Would be interested to see one.

I think it wouldn´t be publishable, since I don´t see a way to chellange check it.

Link to comment
27 minutes ago, DerDiedler said:
1 hour ago, noncentric said:

I haven't seen a challenge cache that requires finders to put their statistics in the "About" tab of their profile, which is what this topic affects.  Would be interested to see one.

I think it wouldn´t be publishable, since I don´t see a way to chellange check it.

A bit off-topic, but pre-moratorium challenge caches didn't require a challenge checker.  But my point in my post is that I don't think there are any such challenges that require info be in the About tab, but if there are any (as DragonSoldier45 suggests there are) then I'd be interested to see them.

  • Upvote 1
Link to comment

Am I dreaming or has this change also caused giant fonts to appear on some data e.g. My GSAK generated static profile now looks hideous on a PC.  Maybe this was an earlier change  and I just failed to notice. 

 

BTW Mentioning Javascipt and GDPR in the same sentence is just so misleading. I think you should update everything here to remove GDPR to reinforce that javascript is security related and nothing whatsover to do with GDPR.

Edited by lodgebarn
  • Upvote 3
Link to comment

In fact worse seems to be happening. None of the cache links on my profile work now. Of course if I open my profile page rendered from another web server all links work as before and the page displays correctly. This is not just javascript being blocked it is a wholesale massacre. Is it possible style tags have been affected as well somehow?

Edited by lodgebarn
Link to comment

This step affects thousands of geocaches who have their statistics in the profile. Although they can still upload them there, most of the improvements they've been working on for years have stopped working. It is not even possible to switch between different statistics sections, so there is a risk of returning to the old way, when everything was on a very long page. Additionally, some statistics generators are no longer supported by their creators, and this means a lot of work on switching to another system.

  • Upvote 2
  • Helpful 1
Link to comment
5 hours ago, Arne1 said:

This step affects thousands of geocaches who have their statistics in the profile. Although they can still upload them there, most of the improvements they've been working on for years have stopped working. It is not even possible to switch between different statistics sections, so there is a risk of returning to the old way, when everything was on a very long page. Additionally, some statistics generators are no longer supported by their creators, and this means a lot of work on switching to another system.

This might be a good time to mention the idea of a user-editable statistics page, which has been suggested before. That way these custom stats that form a very long page could go on the user-editable statistics page, and would hit only the people who actually clicked on that page.

Link to comment

Regardless of whether any part of this change will be reverted even temporarily, yet again we have a significant change that came without warning that's affecting a large portion of the community (whether they know yet or not).  Without warning.   If there was a notice made even as soon as a week beforehand, there would have been time for people to make changes to their custom About page, and for devs of third party HTML source code to adjust how they're created to work with the new script-sanitized environment (and notify their users).

 

There's a whole lot of public unexpected achy breaky going on, and it's not reflecting well on the promise to "make better mistakes tomorrow".... :(

Edited by thebruce0
Link to comment
49 minutes ago, me N u said:

We are non techies so how do we restore our Earthcache bronze, silver, gold and platinum banners for starters or are destined to have an almost blank profile with only the default text visible?

 

Hi me N u,

if I look at your profile I do see some Earth Cache banners and some statistics?

menu.png

Link to comment
13 hours ago, thomfre said:

Can you please restore outbound links? I see the need for blocking javascript, but links shouldn't be any problem.

Can you please make links open the normal way, so it doesn't trigger popup blocking...

 

We are looking into a fix for the links so they will behave more like standard html links.

  • Upvote 1
Link to comment
11 hours ago, sbeelis said:

@bootron

 

I appreciate that these changes were required due to security and compliance issues. However, a lot of people liked having more detailed statistics than those supplied by geocaching.com in their profile and used GSAK+FSG or project-gc to generate those. Both sources created cool looking, well structured statistics pages by making use of "click" events and "show"/"hide" features of javascript/html. All of this no longer works. While I can see that some features of javascript were an issue, I don't see how the click/show/hide features could be a security/compliance risk.

 

Is there any chance to just bring a subset of supported features back that would allow those cool statistics pages to keep working without opening the page up to security/compliance issues? This would be similar to the cache listings only supporting a subset of available html tags...

 

We do not have any plans to open up the ability to use a subset of javascript at this time. 

 

  • Upvote 1
  • Surprised 3
  • Helpful 1
Link to comment
3 hours ago, thebruce0 said:

Regardless of whether any part of this change will be reverted even temporarily, yet again we have a significant change that came without warning that's affecting a large portion of the community (whether they know yet or not).  Without warning.   If there was a notice made even as soon as a week beforehand, there would have been time for people to make changes to their custom About page, and for devs of third party HTML source code to adjust how they're created to work with the new script-sanitized environment (and notify their users).

 

There's a whole lot of public unexpected achy breaky going on, and it's not reflecting well on the promise to "make better mistakes tomorrow".... :(

 

The most widely-used third party providers were given several weeks of notice. We made the decision internally to do standard release notes for this release since people can make the changes to their own profile at any time going forward. 

Link to comment
2 minutes ago, bootron said:

The most widely-used third party providers were given several weeks of notice.

 

Yes, it was communicated in the GSAK forums. However, the GSAK people were told this change would be rolled out to the staging servers and could be tested there. Several people (me one of them) ran tests with our profiles on both staging servers and our profiles still worked, so we assumed the change would not kill the profiles generated by FSG. Today, when it went live, everyone there was totally surprised (and not pleasantly, at that).

 

I don't know why we were told that this change could be tested on staging when in fact it was apparently not rolled out there....

  • Upvote 1
  • Helpful 3
Link to comment
16 minutes ago, bootron said:

We made the decision internally to do standard release notes for this release since people can make the changes to their own profile at any time going forward. 

 

Not sure why it couldn't have been announced beforehand so that people would have time to make updates pre-breakage, instead of needlessly after unexpected breaking. I wouldn't be against the move to strip script from the custom About content (I reported and demonstrated long ago how the allowed scripting could be abused to spoof people and serve potentially malicious content but heard nothing back). So a pre-announcement might get some pushback, but I'd have been in support of the change for security reasons, and feel it's reasonable. But the hold on the announcement and spontaneous breaking of profile content caused more public angst than indeed necessary.

I was going to comment on the 3rd party folks being informed ahead of time as a good thing, but then sbeelis inserted another bump in that road... :unsure:

Edited by thebruce0
  • Helpful 1
Link to comment

Yes, I'm affected to. :(

I have a map of countries I've found caches, A mouse over zoomed in to Europe (many small countries) Mouse over the list of countries showed the individual countries with the regions I've found caches in.

I've also splitted the matrix and calendar statistics into cache types. (Got the matrix for 5 different types, working on the sixth) Clicking in the left corner switched between them.

I also had the banners collapsed an expanded via a mouse over.

 

I was able to get a lot of statistics into a relative small area because of these tactics. Do you expect me to expand all this statistics by default? Very ugly in my opionio, or are there techniques I'm able to collapse data without the use of javascript (css comes to mind, but when I tried to use that, I discovered It's also removed) 

 

By the way, because the font size definitions are now also ignored in tables, the last days of the month are not visible anymore.

 

To quote your president: "Very sad"

Link to comment
4 hours ago, Frau Potter said:

We generally do not warn users before we make security-related updates. In this case, we looked at the changes resulting from the updates and felt that the most important parts of the profile features were still working, and the remaining features could be updated over time.

This is a major change to how this functionality operates, why would you not tell people in advance? Sure some html is still displayed but that means nothing when the technical features that support the display have been fundamentally modified. Please tell me how table font size relates to security for instance? Is it not more likely that the development team did not really share the full impact of what they have perpetrated with the folks making the high level decisions?

Edited by lodgebarn
  • Helpful 1
Link to comment
27 minutes ago, me N u said:

 

and yet when we view our own profile no user generated content is displayed, same on old and new dashboards!

What browser and OS are you using?  I can see your content, as in the image in the above post, in both 'old' and 'new' Profile views using Firefox 63.0.1

 

Link to comment
23 minutes ago, noncentric said:

What browser and OS are you using?  I can see your content, as in the image in the above post, in both 'old' and 'new' Profile views using Firefox 63.0.1

 

 

You beat us to it - the user content is NOT visible when viewing using IE11 but IS visible when using chrome - go figure.

Link to comment

The links on my profile page no longer work, I haven't used anything fancy like javascript, just straight links to other pages.

Clicking on any link just reloads my profile page.

When I 'hover' over a link, I see the expected URL has been replaced with a long random-looking URL on the geocaching.com site with the text "link:undefined" somewhere in the middle of it.

  • Upvote 1
Link to comment
2 minutes ago, alan666notb said:

The links on my profile page no longer work, I haven't used anything fancy like javascript, just straight links to other pages.

Clicking on any link just reloads my profile page.

When I 'hover' over a link, I see the expected URL has been replaced with a long random-looking URL on the geocaching.com site with the text "link:undefined" somewhere in the middle of it.

 

The silly/stupid part of this is that links to cachelistings on GC itself are changed in the same way. Probably for "security reasons" or "GDPR" (OK, I understand that links to cachepages are a security risk :rolleyes: ).

 

  • Upvote 1
Link to comment
On 11/8/2018 at 11:26 PM, The A-Team said:

The security concern does make sense and for that reason I'm not opposed to this change, but I can't figure out how GDPR applies. That regulation covers the processing of personal data, and I don't see how JavaScript is in any way related to that.

 

GDPR requires to report about data security breaches and this may be one of the kind.

Link to comment
10 hours ago, alan666notb said:

The links on my profile page no longer work, I haven't used anything fancy like javascript, just straight links to other pages.

Clicking on any link just reloads my profile page.

When I 'hover' over a link, I see the expected URL has been replaced with a long random-looking URL on the geocaching.com site with the text "link:undefined" somewhere in the middle of it.

What browser are you using?

Using Firefox 63.0.1, I can click on the "SideTracked" or "Church" images on your profile and it takes me to a cache page about the SideTracked Series or the Church Micro Series, respectively.  When I click in Firefox, then I get a pop-up box saying "Hey wait! You’re about to leave Geocaching.com. Are you sure you want to do that?" and if I click "Yes" then it takes me to that page you are linking to.  I suspect that the browser you are using is blocking the link and/or the pop-up box?

Link to comment
11 hours ago, on4bam said:

 

Banning people for speaking their minds is a sign of weakness and/or lack of arguments.

 

There, I said it... :ph34r:

 

It was not the speaking my mind which would have been the problem, rather the language with which I was tempted to express those thoughts.  I still haven't calmed down.

  • Upvote 1
Link to comment
Guest
This topic is now closed to further replies.
×
×
  • Create New...