View Issue Details

IDProjectCategoryView StatusLast Update
00032893 - Current Dev ListBugpublic2019-06-09 19:04
ReporterK7ZCZAssigned ToWA9PIE 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
PlatformIntel i7-5960XOSWindows 10 Professional x64OS Version16299
Product Version6.6 
Target VersionFixed in Version 
Summary0003289: QLM license page has broken picture icon
DescriptionAccessing the URL for a trial license shows a page that's missing a background image. Looks like that image is meant to be a logo.

I'm able to reproduce this in Microsoft Edge, Google Chrome, and Firefox.
Steps To Reproduce1) Go to the trial URL page: https://quicklicensemanager.com/hrdsoftwarellc/qlmcustomersite/hamregistrationform.aspx?is_productid=3&is_majorversion=6&is_minorversion=6&is_emailtemplate=9.%20Trial%20Request&is_emailsubject=Your%20Trial%20Key%20for%20Ham%20Radio%20Deluxe

BUG#1) The resulting page has a broken picture icon; looks like there's meant to be an HRD logo there.
Additional InformationIn Chrome, the network recorder in the Developer Tools shows a 403 (forbidden) error when trying to retrieve https://downloads.hamradiodeluxe.com/HRDlogoTransparentWide.png

I'm able to repro the problem in Microsoft Edge and FireFox, too.

The Google dev tools don't show full headers (Which is weird -- maybe I'm doing something wrong with the dev tools pane):

Request URL: https://downloads.hamradiodeluxe.com/HRDlogoTransparentWide.png
Request Method: GET
Status Code: 403 
Remote Address: 66.11.126.218:443
Referrer Policy: no-referrer-when-downgrade

Provisional headers are shown
DNT: 1
Referer: https://quicklicensemanager.com/hrdsoftwarellc/qlmcustomersite/hamregistrationform.aspx?is_productid=3&is_majorversion=6&is_minorversion=6&is_emailtemplate=9.%20Trial%20Request&is_emailsubject=Your%20Trial%20Key%20for%20Ham%20Radio%20Deluxe
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36





The FireFox developer tools lets me drill into the request and response. Here are the request headers:

Host: downloads.hamradiodeluxe.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://quicklicensemanager.com/hrdsoftwarellc/qlmcustomersite/hamregistrationform.aspx?is_productid=3&is_majorversion=6&is_minorversion=6&is_emailtemplate=9.%20Trial%20Request&is_emailsubject=Your%20Trial%20Key%20for%20Ham%20Radio%20Deluxe
Connection: keep-alive
Cookie: _ga=GA1.2.57931038.1527602519
Cache-Control: max-age=0
TE: Trailers



here are the response headers, indicating the 403.

HTTP/2.0 403 Forbidden
date: Thu, 11 Apr 2019 17:58:41 GMT
content-type: text/html
content-length: 146
cdn-pullzone: 30613
cdn-edgeid: 493
cdn-uid: 29cd2e4a-0479-49c4-ae25-2926a34bcd3d
server: BunnyCDN-WA1-493
cdn-requestid: 2ec86f7bbe6fdceb942ac64670415743
X-Firefox-Spdy: h2


The cdn-headers suggest the problem is with the CDN.
TagsNo tags attached.
ModuleQLM
Sub-ModuleSoftware License Key System
Testing Beta Successful

Activities

K7ZCZ

2019-04-11 13:30

administrator  

HRDLogo403.png (117,615 bytes)
HRDLogo403.png (117,615 bytes)

WA9PIE

2019-04-13 18:02

administrator   ~0007852

I think this was a caching problem. That said - I did update the image to fit within Soraco's specifications (112 x 80 px) and I'm not thrilled with it. But it's better than what it was.

K7ZCZ

2019-04-13 21:12

administrator   ~0007855

This still reproduces for me. There are no changes in the symptoms I've reported.

WA9PIE

2019-04-14 00:48

administrator  

WA9PIE

2019-04-14 00:48

administrator   ~0007856

Here's what I get when I test this:

K7ZCZ

2019-04-14 01:55

administrator   ~0007857

Using the different URL doesn't fix the problem for me; I still see what is shown in the original post.

I don't know how things on the servers involved are arranged, but the headers I see in the response make me think the CDN isn't working correctly.

I can reproduce this issue in Chrome, Firefox, and Edge on my desktop; and Edge and Chrome on my laptop.

K7ZCZ

2019-04-14 04:57

administrator   ~0007858

Maybe these steps are more likely to cause a repro:

1) Start up Chrome
2) CTRL+SHIFT+N to create a new incognito session
3) Visit https://quicklicensemanager.com/hrdsoftwarellc/qlmcustomersite/hamregistrationform.aspx?is_productid=3&is_majorversion=6&is_minorversion=6&is_emailtemplate=9.%20Trial%20Request&is_emailsubject=Your%20Trial%20Key%20for%20Ham%20Radio%20Deluxe

BUG#1) Broken picture Icon

4) CTRL+SHIFT+I to open developer tools
5) Activate the "Network" in the Developer Tools pane
6) CTRL+R to reload the page
7) "HRDlogoTransparentWide_112.png" shows 403

8) Click on the PNG request
9) Click on "Headers"
10) Looks like the request is being served from a CDN; 66.11.126.218 comes back to BunnyCDN

My guess is that the CDN is protecting itself from hotlinking, and is denying the request for the image based on the referrer. (The referrer header is visible in step #9).

The CDN should be configured to allow referrers from the third-party domains we plan to use to serve content.

We should also monitor the CDN so that these issues don't go along, unseen.

K7ZCZ

2019-04-14 10:07

administrator   ~0007859

Note that the licensing page also requests a FavIcon.ico from the HRD servers, and that request is also given a 403 response.

On a Linux system, the curl command can be used to demonstrate that the CDN is balking at the Referrer parameter being sent, and that prevents the image from being downloaded. This script emulates (most) of the headers that FireFox sends in this context:

curl \
    -v \
    --no-sessionid \
    -H "Referer: https://quicklicensemanager.com/hrdsoftwarellc/qlmcustomersite/hamregistrationform.aspx?is_args=hrd_trial" \
    -H "Cache-Control: max-age=0" \
    -H "Pragma: no-cache" \
    -H "Accept-Encoding: gzip, deflate, br" \
    -H "Accept: image/webp,*/*" \
    -H "Connection: keep-alive" \
    -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" \
    -H "TE: Trailers" \
    https://downloads.hamradiodeluxe.com/HRDlogoTransparentWide.png?foo33 \
    --output /dev/null


Because the CDN doens't like the referrer parameter, it responds with a 403. Here's the output of that curl command (only the response part):

< HTTP/2 403 
< date: Sun, 14 Apr 2019 15:05:09 GMT
< content-type: text/html
< cdn-pullzone: 30613
< cdn-edgeid: 493
< cdn-uid: 29cd2e4a-0479-49c4-ae25-2926a34bcd3d
< server: BunnyCDN-WA1-493
< cdn-requestid: 3b39401d83ef6043df3afadbb79d486a
< content-encoding: br
< 
{ [5 bytes data]
100   161    0   161    0     0   1872      0 --:--:-- --:--:-- --:--:--  1872
* Connection #0 to host downloads.hamradiodeluxe.com left intact


If we run the same command but don't provide a referrer header, we have this curl command:

curl \
    -v \
    --no-sessionid \
    -H "Cache-Control: max-age=0" \
    -H "Pragma: no-cache" \
    -H "Accept-Encoding: gzip, deflate, br" \
    -H "Accept: image/webp,*/*" \
    -H "Connection: keep-alive" \
    -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" \
    -H "TE: Trailers" \
    https://downloads.hamradiodeluxe.com/HRDlogoTransparentWide.png?foo33 \
    --output /dev/null


Wich downloads the file as expected:

< HTTP/2 200 
< date: Sun, 14 Apr 2019 15:06:39 GMT
< content-type: image/png
< content-length: 9009
< cdn-pullzone: 30613
< cdn-edgeid: 493
< cdn-uid: 29cd2e4a-0479-49c4-ae25-2926a34bcd3d
< last-modified: Sat, 13 Apr 2019 04:09:17 GMT
< cache-control: public, max-age=2592000
< cdn-cachedat: 2019-04-14 06:51:32
< cdn-requestid: fb5484dc5a22f86e9501e946251b81e6
< server: BunnyCDN-WA1-493
< cdn-cache: HIT
< accept-ranges: bytes
< 
{ [5 bytes data]
100  9009  100  9009    0     0  96870      0 --:--:-- --:--:-- --:--:-- 96870
* Connection #0 to host downloads.hamradiodeluxe.com left intact


I think this validates my theory that hot-linking protection at the CDN is the problem.

WA9PIE

2019-04-14 14:31

administrator   ~0007860

Interesting. I don't see it trying to pull a favicon.ico... but I'll look into that as well.

K7ZCZ

2019-04-14 15:49

administrator   ~0007861

The get for FavIcon is visible in the HRDLogo403.png image I pasted above. In the newtork request list, we see the browser try to get the HRDLogo file twice. The last line shows the failure of FavIcon. It fails with a 404, not at 403.

Issue History

Date Modified Username Field Change
2019-04-11 13:30 K7ZCZ New Issue
2019-04-11 13:30 K7ZCZ File Added: HRDLogo403.png
2019-04-11 13:30 K7ZCZ Summary QRM license page has broken picture icon => QLM license page has broken picture icon
2019-04-11 13:30 K7ZCZ Description Updated View Revisions
2019-04-11 13:30 K7ZCZ Steps to Reproduce Updated View Revisions
2019-04-11 13:30 K7ZCZ Additional Information Updated View Revisions
2019-04-13 18:02 WA9PIE Module (select) => Website
2019-04-13 18:02 WA9PIE Testing Not Started => Beta Successful
2019-04-13 18:02 WA9PIE Note Added: 0007852
2019-04-13 18:02 WA9PIE Status new => closed
2019-04-13 18:02 WA9PIE Resolution open => fixed
2019-04-13 21:12 K7ZCZ Assigned To => WA9PIE
2019-04-13 21:12 K7ZCZ Status closed => assigned
2019-04-13 21:12 K7ZCZ Note Added: 0007855
2019-04-14 00:48 WA9PIE File Added: TrialRegistrationImage.PNG
2019-04-14 00:48 WA9PIE Note Added: 0007856
2019-04-14 01:55 K7ZCZ Note Added: 0007857
2019-04-14 04:57 K7ZCZ Note Added: 0007858
2019-04-14 10:07 K7ZCZ Note Added: 0007859
2019-04-14 14:31 WA9PIE Note Added: 0007860
2019-04-14 15:49 K7ZCZ Note Added: 0007861
2019-06-06 15:36 WA9PIE Status assigned => resolved
2019-06-07 18:10 WA9PIE Status resolved => closed
2019-06-09 19:02 WA9PIE Module Website => QLM
2019-06-09 19:04 WA9PIE Sub-Module (select) => Software License Key System