Page 1 of 1
Can Anyone See the Cartoon?
Posted: 2018-02-27, 19:31
by sevendy
https://contest.newyorker.com/CaptionContest.aspx?tab=winner
Can anyone see the cartoon? I can't, at least not in Pale Moon. However, if I page through the media section of the the Page Info, it's there (
http://www.newyorker.com/wp-content/uploads/2018/01/180129_contest-690.jpg; you'll have close and re-open the Page Info to see it), but it's not scaled correctly, and it still will not render on the page.
Edit: Win7 x64
Re: Can Anyone See the Cartoon?
Posted: 2018-02-27, 20:12
by Night Wing
I get the same results as you and I'm using 64 bit linux Pale Moon (27.7.2).
Re: Can Anyone See the Cartoon?
Posted: 2018-02-27, 20:26
by Sajadi
about:config
searching for: security.csp.enable
double click to false, reload the page
Gets shown
Re: Can Anyone See the Cartoon?
Posted: 2018-02-27, 20:37
by sevendy
Thanks, I noted some type of security warning on the location bar, but "disabling protection" there didn't help.
So, is disabling "security.csp.enable" universally safe to do? Firefox and Waterfox (yeah, I'm still trying to decide who to go with) also has "security.csp.enable = true" without this problem.
Re: Can Anyone See the Cartoon?
Posted: 2018-02-28, 16:10
by Moonchild
The problem is that they are trying to serve over https but are doing it wrong.
Their CSP indicates image sources may only be loaded over https but their cartoon is served over http.
Normally mixed-mode images are allowed but their own CSP rule blocks it.
Disabling CSP overall in the browser is NOT a good idea, because it will be your primary defense against XSS (cross-site-scripting) attacks.
Please contact the New Yorker and let them know of these issues -- they need to host everything on https if they are going to enforce it.
