Second Life forums just got broken

[dinosaur]

Apparently, Invision (the forum provider) just changed something for the Second Life forum: https://community.secondlife.com/forums/

Not sure if the error in the console is related, or if this is due to a CSS change that Pale Moon won't support, but this is what it spits out:

Code: Select all

Timestamp: 09/12/2025 20:54:07
Error: None of the “sha512” hashes in the integrity attribute match the content of the subresource.
Source File: https://community.secondlife.com/forums/
Line: 0

The result is a totally broken (unreadable) page.

EDIT: after enabling layout.css.report_errors, I can indeed confirm it's a CSS issue. I get gazillions of errors in the vein of:

Code: Select all

Timestamp: 09/12/2025 22:02:59
Warning: Expected a number or an angle but found ‘calc(’.  Error in parsing value for ‘background’ after substituting variables. Generated value was ‘hsl(calc(260 - 40), calc(calc( 0 / 100) * 100%), calc(77% + 21% * calc(100 / 100)))’.  Falling back to ‘initial’.
Source File: https://community.secondlife.com/static/css/core_global_framework_framework.css?v=d815db93211765308208
Line: 1
Source Code:
hsl(calc(260 - 40), calc(calc( 0 / 100) * 100%), calc(77% + 21% * calc(100 / 100)))

So, apparently, 'calc()' is what the site wants and Pale Moon does not have...

EDITI2: after looking at the Pale Moon sources, it looks like calc() is there... Re-reading the error messages, the problem seems to stem to nested calc(), which Pale Moon does not seem to support (it was introduced in Firefox 48 only; see this page, but not under PM, since the table won't show).

[adoxa]

Tuts 4 You also uses Invision, but it's not as broken as that, so I just put up with it (had a half-hearted attempt at fixing it, but there's just too much). One simple adjustment, via userstyle:

Code: Select all

@-moz-document domain("community.secondlife.com") {
  .ipsData__last {
    display: flex;
  }
}

If you want more than that, I'm afraid it's backup browser time.

[dinosaur]

Tuts 4 You also uses Invision, but it's not as broken as that, so I just put up with it (had a half-hearted attempt at fixing it, but there's just too much).

Since the issue is with nested calc() calls, maybe it would be possible to replace all such calls with intermediate results (not sure, but CSS might allow that, i.e. setting a "variable" from a (deep) calc() call, and reusing that variable value in the final CSS attribute, in place of the nested calc() ?)

One simple adjustment, via userstyle:

Code: Select all

@-moz-document domain("community.secondlife.com") {
  .ipsData__last {
    display: flex;
  }
}

Thanks a bunch for the head-up ! I did not know about this extension, and it indeed helps.

I added an entry for unreadable menu bar (black fonts on dark blue background), and I'm currently using:

Code: Select all

@-moz-document domain("community.secondlife.com") {
  .ipsData__last {
    display: flex;
  }
  .ipsHeader__secondary {
     background: none;
  }
}

But there are so many broken things (such as pull-down menus), that:

If you want more than that, I'm afraid it's backup browser time.

Sadly, this is for now the only (hopefully interim) solution... Using Waterfox as a backup browser, but I don't like its UI (GTK3 instead of GTK2 for a start, but not just that) and it lacks a lot of (XUL-only) extensions that I consider totally vital and use in Pale Moon...

And even more sadly, while a couple years ago I needed to use Waterfox once in a Blue Moon (pun intended), nowadays, I'm forced to use it every day. (*)
----------
(*) Especially because of the lack WeakRef() support in Pale Moon, which represents like 80% of the incompatibility issues I am encountering for the sites I visit.

[jobbautista9]

(*) Especially because of the lack WeakRef() support in Pale Moon, which represents like 80% of the incompatibility issues I am encountering for the sites I visit.

Well that's just depressing. We don't really want to implement WeakRef and let websites control the browser's internals of the JavaScript engine. This is just abuse and security issues begging to be discovered. Issue #2306 (UXP)

[dinosaur]

Well that's just depressing. We don't really want to implement WeakRef and let websites control the browser's internals of the JavaScript engine. This is just abuse and security issues begging to be discovered. Issue #2306 (UXP)

What about implementing it nonetheless, and "hide" it behind an about:config setting ?...

People wanting to use Pale Moon at all price, like me, would be able to enable it, knowing exactly what they are doing and what risks they take doing so, and others would stay "safe" (or as safe as web browsing can be, nowadays).

[Moonchild]

WeakRef is a monumentally bad idea.
The sane way to handle this is have a WeakRef API that gives pages the front-facing expected functions and constructor but them being noops in the back-end. Not adding a sec footgun behind a pref that people like yourself will just flip and forget about.

[dinosaur]

that people like yourself will just flip and forget about.

You are of course free to develop your software as you wish, but pretty please do not be insulting towards "people like myself'.

FYI, I have been programming computers for over 45 years. I do know what I am doing when I am doing it. I am perfectly capable to enable such a pref on a per-site basis (especially since I am using self-written browser extensions, as well as paranoid-geared extensions such as NoScript)...

[Moonchild]

Jeez. I meant no disrespect with what I said. The fact you asked for it behind a pref most likely (but feel free to prove me wrong) means you intend to switch it on, so you would be part of the set and forget group of people, that is what I was saying. Are you really going to flip it on and off all the time if you run to it often enough to ask for this setup? Be honest.

But, if you insist on taking offense to that, then of course I can't stop you, either.

Context, people, context.

That being said, it is simply a bad idea to allow hostile page content access to browser internals. Especially for an API that doesn't even guarantee anything! So we can implement this without requiring any back-end reach-in at all because we simply don't need to allow any manipulation of our garbage collector by page content. This is even a spec I would refuse even if the spec itself indicated we must do something like this because it's just unsanitary. As a long-time developer you should know this, too.

[dinosaur]

I meant no disrespect with what I said. The fact you asked for it behind a pref most likely (but feel free to prove me wrong) means you intend to switch it on, so you would be part of the set and forget group of people

Proving you wrong then: I'd just setup yet another CustomButton as a toggle (defaulting to OFF when browser is launched) for this new setting in the status bar (I already got half a dozen such buttons there).

Fun game: spot the six CustomButton's in this status bar, and guess their function:

statusbar.png

There's also the fact that, using NoScript, even if I were to forget to click the toggle-button off when visiting a new site, that WeakRef() flaw won't risk to impact me (since the scripts won't run at all before I would white-list each and every domain for that site, and then I'd see the button toggle color since the NoScript button would be next to the WeakRef() toggle)...

Are you really going to flip it on and off all the time if you run to it often enough to ask for this setup? Be honest.

YES. I am indeed totally paranoid.

This said, I also need to use sites, which I trust, and that, sadly, are relying on this flawed feature (Compiler Explorer, for example, which is an invaluable tool for programmers like me, who are obsessed with software optimizations).

That being said, it is simply a bad idea to allow hostile page content access to browser internals. .../... As a long-time developer you should know this, too.

As a long time developer, I have been and I am still faced with such Cornelian choices, yes, but instead of refusing to implement a flawed feature the users of my pieces of software do need, I elected to try and educate them: for each such feature, there's a setting defaulting to OFF, and when the user enables that setting, my software presents them with an alert window explaining the risks they are taking by enabling that feature, and asking confirmation.

This said, we are digressing from the original topic of this forum thread. I gave you my suggestions. Adopt them or reject them: it's your choice. But pretty please, do not make assumptions about who are the users of your software, how experienced they are, how rigorous, security-minded or even paranoid they are, because you just are going to make wrong assumptions about a lot of the said users, and going to upset them...

[Moonchild]

YES. I am indeed totally paranoid.

I stand corrected then in my assumption!

Your exceptional vigor aside though, others would definitely just "flip the pref and have it work" never to flip it back off again, and as a result unwittingly expose themselves to potentially very risky site scripting.

[dinosaur]

Your exceptional vigor aside though, others would definitely just "flip the pref and have it work" never to flip it back off again, and as a result unwittingly expose themselves to potentially very risky site scripting.

Thus my suggestion for an alert dialog...


But back on topic: any hope for nested calc() support in CSS for Pale Moon ?

[Moonchild]

But back on topic: any hope for nested calc() support in CSS for Pale Moon ?

Depends entirely on how much developer help we get. CSS isn't supposed to be a scripting language. Recursive parsing was never part of its initial design so our implementation isn't very flexible in that respect. We'll need help. If you know of anyone who could help, feel free to reach out.

[moonbat]

Also why are you using NoScript when its own developer abandoned support for the Pale Moon compatible version in 2017 and it is known to cause irreversible problems to your profile that forfeit your right to expect support here? eMatrix is the equivalent content blocker for Pale Moon.

[dinosaur]

Also why are you using NoScript when its own developer abandoned support for the Pale Moon compatible version in 2017 and it is known to cause irreversible problems to your profile that forfeit your right to expect support here?

1. I never encountered any issue with NoScript, at least in the way I configured it (there are many options, and some may indeed be broken).
2. When I encounter an issue with a site and suspect a PM bug/missing feature, I always test again the site from a blank profile (I have so many extensions, that one could be the culprit, and NoScript won't be the only usual suspect there).
3. I never found an equivalent extension that would fulfill the same purpose as NoScript in order to replace the latter.

eMatrix is the equivalent content blocker for Pale Moon.

I did not know about this extension, but by reading its description, it does not seem designed to block scripts, but "requests". But I'll have a look at it...

[moonbat]

it does not seem designed to block scripts,

It's a complete content blocker that works as a whitelist. For a given webpage, you can block cookies,CSS,media (images mostly), scripts, background XMLHTTPRequests (XHR) and frames. By default everything is blocked except what you explicitly allow, so it will take a while to configure for frequently visited sites that you use.

[dinosaur]

It's a complete content blocker that works as a whitelist. For a given webpage, you can block cookies,CSS,media (images mostly), .../... and frames

Not needed... Got Cookie Controller for cookies and uBlock for the rest...

I'm only interested in scripts blocking, via white-listing (i.e. everything blocked until I give the go, either temporarily or permanently).

So, yeah, I did give it a try, but no, it's not to my taste... I'll stick with NoScript (I've been using it for well over a decade now, and without a single issue, so...).

[Mæstro]

When I encounter an issue with a site and suspect a PM bug/missing feature, I always test again the site from a blank profile (I have so many extensions, that one could be the culprit, and NoScript won't be the only usual suspect there).

Here is wisdom. This is good practise for any unusual setup, not just controversial extensions like NoScript. My lower right browser corner is also a small army of assorted blockers. For this purpose, I keep a side profile with nothing but a simple advert blocker for testing Pale Moon’s behaviour without the many special configuration settings I have chosen. In principle, I could use that as a backup browser like Epiphany (which supports Easylist and Easyprivacy filtering as innate settings), Firefox or Chromium with µBlock.