Door access code and most of door access page is missing on Firefox for iOS

[timstr]

I am signed in to membership.vanhack.ca on Firefox on my iPhone, yet this is all see when I visit membership.vanhack.ca/#/dooraccess/:

On desktop, I see an additional "Keyholders" heading containing tons of additional info, including the current door code.

This should be fixed promptly to prevent people from being literally caught in the rain. Visiting the page and signing back in in a private window in Firefox or separately in Safari does not fix the issue. This thus seems to be unique to the mobile view of the website, which can't be escape with "Request desktop site" in iOS Firefox.

[TyIsI]

Hey,

I noticed that the site is being marked as untrusted.

Can you verify that?

Thanks

[timstr]

@TyIsI I noticed as well after posting this.

Just looking in Firefox on iOS, I'm not quite sure what it's coming from. When I first navigate to https://membership.vanhack.ca/#/login/, I get a happy lock icon. After signing it, it changes to the struck-through lock icon shown in the screenshot. Tapping that, I am told "Connection is not secure" and there's literally no other information as to why.

Purely based on timing, this leads me to suspect that one of the resources being loaded after login is loaded through insecure http. More aggressive/modern browser security policies might be blocking something as a result. There sadly doesn't seem to be any way for me to get information out of iOS Firefox about this with my existing tools.

I opened the site in Firefox on Ubuntu in a private window with the dev tools set to emulate an iPhone 11 (not full emulation but...). If I disable Firefox's HTTPS-only mode and repeat signing in and going to dooraccess, I see a single insecure request in the devtools network log made to http://i2.wp.com/lorempixel.com/64/64/people/. This same URL appears in the query string of an earlier request ultimately coming from this Gravatar image url: https://github.com/vhs/nomos/blob/2c8c79dff7ef437dc18b8c4d011b06b2595cd5de/web/user/user.html#L22

I believe that's what the "insecure" Firefox page status is coming from. Switching http:// to https:// in that URL should thus hopefully be enough to fix the security badge. However, I don't think it's ultimately related to the Keyholders heading failing to display. Looking at this code for the first time, I suspect it could be any number of JavaScript/Angular errors resulting in this condition failing: https://github.com/vhs/nomos/blob/2c8c79dff7ef437dc18b8c4d011b06b2595cd5de/web/user/dooraccess/dooraccess.html#L49

Would be nice right now if Firefox on iOS at least let you read console logs

[TyIsI]

As far as I know, most browsers still use webkit on iPhone. As you mentioned it not working on Safari either, the problem seems to be in Safari (and not Firefox).

Are you up to date on all your updates on your iPhone? Do you use any VPN or DNS services on your iPhone?

I don't have access to an iPhone, so I can't reproduce the issue. But Firefox in general (Windows, Linux, and Android) do not have this issue.

[timstr]

My iPhone is iOS 15.8.2 (latest 15, can't do a higher major version because old 6S hardware) and the latest Firefox for iOS in the App Store which is 126.2

[timstr]

I just also tried Google Chrome for iOS as well and no dice

[coryalder]

If you plug an iPhone into a mac, you can debug (console, inspector, etc) mobile safari (and maybe mobile firefox) from desktop safari

[timstr]

I don't have a Mac. Is there one in the Space anywhere? I'm currently there

[timstr]

If not, I can borrow my partner's Mac in the coming day or two

[coryalder]

Not that I know of. Just confirmed safari on desktop doesn't have this issue (safari 17.4.1, also firefox on mac works fine)

[TyIsI]

@timstr what version of Safari are you running?

[TyIsI]

Sorry, not supported combination of frontend implementation and browser.

This might work again when the frontend has been rewritten.