bowelcrusher OP t1_ir4078c wrote on October 5, 2022 at 4:12 AM

Reply to comment by ipaqmaster in An anonymous polling site for sensitive topics, with live stats and a heatmap (NEW: add your own questions!) by bowelcrusher

Thanks for letting me know - definitely wanna sort that out. I haven't been able to recreate this on safari or chrome; will you please let me know which web browser you're using?

ipaqmaster t1_ir41lwb wrote on October 5, 2022 at 4:26 AM

Mozilla Firefox 105.0.1 on Linux kernel 5.19.12

I can see it in the Network tab of Developer Tools, after registering to make a vote count it POSTs to /new_vote and catches a 302 redirect, but the location header of that 302 is Location: http://myworld.vote which is where that downgrade caught my attention. Granted in the majority of cases, a browser will remember an earlier 301 and not follow the URI to be told 301 > https a second time. (But because your reddit post URL specifies https, that was my browser's first time being redirected to it again)

Anyone running an SSL enforcer could get stuck there which I guess is where setting your HSTS headers could save the day in that case. Otherwise fixing that Location string.

Easy change in new_vote I presume. That endpoint also explains why it happened a second time post-registration during another vote.

bowelcrusher OP t1_ir42kef wrote on October 5, 2022 at 4:36 AM

Thanks a lot for pointing this out!

ipaqmaster t1_ir42ucd wrote on October 5, 2022 at 4:39 AM

All good. Cool site!

[deleted] t1_ir41aj8 wrote on October 5, 2022 at 4:23 AM

[deleted]