Xaquseg 473 followers

Xaquseg is the system administrator for FIMFiction, as well as various misc. development, especially related to security. Non-technical problems are probably best asked to other staff members.

News Archive

  • 19 weeks
    Fimfiction API

    If you're not a developer you can probably ignore this post.

    It's been like 6 years, but hey, things take time. The API is currently very WIP still but it's ready for people to get working on in our development chat room.

    API documentation can be found at https://www.fimfiction.net/developers/api/v2/docs and you should join the Discord Chat and PM me to add you to the private API channel and I can help you get started. The functionality is very limited right now but I'm dedicating all my time to it at the moment and would love to have people add their input to the process.

    60 comments · 4,430 views
  • 24 weeks
    New BBCode Tags

    Hey guys,

    One of the features in this new update was reader-side paragraph formatting. This helps improve consistency for readers across the site, especially for those of us who can’t stand reading indented text on a computer screen.

    However, one thing that wasn’t accounted for was the legitimate need for specific indenting of passages and for certain blocks of text to have no paragraph formatting. Some examples would be lyrics and poetry.

    Taking this into account, we have come up with a couple of new tags that remedy this situation which are documented below (copied directly from the bbcode guide)

    [indent] Indent

    The indent tag can be used to, unsurprisingly, indent portions of your text.

    [indent]The indent tag can be used to, unsurprisingly, indent portions of your text.[/indent]

    It also support levels of indenting

    Read More

    168 comments · 4,155 views
  • 24 weeks
    Fimfiction 4.0

    It’s been a very very long time coming, but we’ve finally updated the site again. this is by far the biggest update we have ever done. There is a cavalcade of new features but the biggest changes are under the hood and affect how easy it is to extend the site and performance. A change log of everything I can remember can be found below.

    There are bound to be unforeseen bugs. If you come across anything major please let us know in the comments (or preferably in the #site-help-and-dev discord channel).

    Miscellaneous / Site Wide

    • Dropped support entirely for pre-IE11
    • Updated inline searching across the site to order much better. Eg. Typing "Ra" into the tag selector actually shows Rainbow Dash first. On shorter lists like bookshelves, we use a different algorithm that lets you type things like "ril" and it’ll prioritise a shelf called "read it Later".

    Read More

    1,363 comments · 18,191 views
  • 25 weeks

    So, emojis are now supported all over the site. Go have fun and stuff.

    oh god what have we done

    192 comments · 3,663 views
  • 45 weeks
    New Character Tags

    I have added a total of 70 new character tags to the site today. They can be found below:

    Read More

    337 comments · 9,901 views
  • 91 weeks
    Minor (nah, they're totally major) Updates

    Over the past 2 weeks I've been rewriting our entire ajax routing (or lack thereof) structure. That's not very important to anyone using the site, since in theory absolutely nothing should change for you with this update but as with any significant rewrite of code, there are bound to be bugs that were introduced. I've tested as thoroughly as I can so hopefully there will be little in the way of issues but if you get any, let us know here so we can fix them. The only change in theory should be better error reporting to you and more endpoints that are signed and therefore a bit safer/less prone to abuse.

    I've also added a couple of minor fixes. For one, comment jumping should work better on stories and user pages now. There was also another issue I fixed but....it'll be a surprise because I can't even remember what it was myself!

    Read More

    330 comments · 5,929 views
  • 93 weeks
    New tag information page

    I have added a tag information page (also accessible in the FAQ dropdown) which provides guidelines for what the various rating and category tags should be used for. Please note that this is not intended to change how these tags are used, this is just documented already-enforced rules.

    This should help answer questions like "does my story need to be tagged mature?", explain how teen+sex works, etc. Users have been requesting more details about what each tag is intended for for a while now, this finally provides that information in a (hopefully) easy to understand way.

    I would also like to remind everyone that if you encounter a story with mature content that is not marked mature, you should report it. This is always a rules violation, and is enforced strictly. We want to make sure that users that have mature filtered out are not exposed to such content.

    82 comments · 2,366 views
  • 93 weeks
    Imgur problems

    Imgur has blacklisted us for image embeds, stating that they do not allow images on their service to be used as content on other websites. Their ToS seems to confirm this, stating:

    Also, don't use Imgur to host image libraries you link to from elsewhere, content for your website, advertising, avatars, or anything else that turns us into your content delivery network.

    This apparently applies to users uploading images to post on other websites (including this one, and I would have to assume most others), which we were not previously aware of. Unfortunately I do not have a recommendation of an alternative site for users to host images they need to embed on our site or elsewhere.

    Read More

    221 comments · 8,546 views
  • 100 weeks
    Minor rule clarifications and additions

    A few minor adjustments and additions have been made to the general rules.

    Read More

    346 comments · 9,047 views
  • 103 weeks
    Adjustments to chapter formatting controls

    I have made some minor improvements to chapter formatting controls.

    1. "Flash of unstyled content" should occur less often when loading chapters, especially on mobile. This should also help chapter load times on slower devices.
    2. Four new themes have been added (if someone has any particular wants for a colorscheme we're missing, please leave a comment)
    3. Authors notes box and chapter selector are now dark on dark themes.

    I plan to do some additional work to solve the white background that appears above the ratings box on themes that don't already use a white background, as well as some work to have a dark version of that bottom-of-chapter ratings box for dark reader themes, so there isn't a big light box right below the chapter content, as I've noticed this can be annoying while scrolling, especially on mobile. Both of these things are slightly larger scope projects, however, and I wanted to get these three improvements out now.

    51 comments · 1,974 views

Site Update » TLS for all users · 1:31am March 22nd

We have implemented TLS site-wide as an unconditional redirect. (http -> https) This improves security site-wide for all users, and shouldn't have any negative effects, performance or otherwise.

Report Xaquseg · 3,000 views ·
Comments ( 90 )


More secure!

~Skeeter The Lurker

cool! I'll say that to hide the fact I have idea what this does.

And could you explain that to those of us that are not tech savvy, please? lol
Tell it like you're trying to explain it to a Neanderthal or a Marine :rainbowlaugh:

...Could someone who actually understands this explain what it means, please?

Server Administrator

Before only some users were using encryption to access the site, now all users are using encryption to access the site.

Wow, thanks for the update... I'm surprised I didn't notice the switch. :\
But that's cool. It should make things better all around, security wise. ^^

what does it mean please

So, in short: Encryption went from 'optional', to 'mandatory', correct?


This improves security site-wide for all users

4466972 i know what does that mean i'm sorry if i'm not getting it

Basically means the site has less of a chance of being taken down by illegal means.

4466962 I'll confess that I was among the some who were not using encryption access (using http instead of https), mostly out of a habit of leaving a bunch of tabs open and not wanting to go through the effort of re-finding all of them under the encrypted version of the site.

But now I've just noticed that every time I try to go an http page, it automatically redirects me to the https version. In other words, all the tabs I have open can now be switched over to the encrypted version simply by refreshing the pages, so that'll make this change a lot easier for me to deal with.

4466974 oh okay thanks i needed to know thats good i guess

I'm secure in the knowledge that the level of security on this site can lay all my insecurities to rest.

Majin Syeekoh
Story Approver

I've been using HTTPS from the beginning, I'm surprised it took this long for it to be automatic.

I have no idea what the hell that means, BUT IT MAKES ME FEEL 20% SAFER!!!!


....It wasn't before?
(HTTPS Everywhere woohoo!)

4466976 Security protocol meaning initial log on between your computer and the website has an individual encryption coding put on all back and forth data. The idea being no-one can eavesdrop or tamper with it in between. Notice the url title on this page now starts with https instead of http. Mainly this is to protect your name and other private details from being taken for identity theft. So it's a good move.:pinkiehappy:

4467005 thanks for explaining

Great change.

Anyone else still unsure this is the page for Firefox explaining it in more detail for their browser but the basics should hold true for all browsers.
mixed content for Firefox

4466994 Just spotted you here, just a heads up for interest.:twilightsmile:

Nice! Thanks, site staff!

:unsuresweetie: Time for an SSL image proxy next! (He says while linking to a non-secure static file host.)

It provides reasonable protection against an actor from reading the information you're transmitting (eg, your account password), or from hijacking your connection to the website and serving you something different.

It doesn't even necessarily have to be technically malicious. For example, some wireless networks will attempt to hijack your connection in order to insert their own ads on the pages you visit. They can't do that on HTTPS.

However, HTTPS does not prevent someone from getting the IP of the website you go to, and that can be trivially matched to the website itself. So bad guys can still know you're reading horsewords, they just don't know which ones and can't steal your account info over the network.


This does not mean we can change passes to 123456 now or the what not, it just means https everywhere is not nessiceary.

When you realize that before this change somebody could potentially see what clopfics you were reading :pinkiegasp:

It didn't work. I'm still insecure.

Righto. Thanks, lads. But it does not say I am secure, unlike before.

Jolly Good.

Nice! It's always good to see better security features implemented.

Well, that explains the random crash last night.

Hrm. Firefox is claiming now that parts of the site are not secure.

Server Administrator

We do have plans to resolve the mixed content warnings caused by images over http, but those don't create very many security risks, so it's not a large enough issue to delay this change.

I've always wondered what the difference between Http and Https was

Hopefully it turns out for the better.
At least It should. It's important and nothing too major just some harmless coding updates.
That or FimFic Skynet happens.

4467119 Maybe it doesn't create too much of a security risk, but privacy...
Anyway, thanks for doing this; I couldn't tell you how many times I'd be on this site and realize I forgot to type https!

Server Administrator

It's only a privacy risk vs. not having mixed content. This change does not reduce user privacy, there's just more we can do to improve it.

Comments like those are just daring someone to launch something like a CSRF attack.

I linked to an image on lithl.info earlier. I have root on lithl.info, and I could easily reconfigure it from serving static content to serving dynamic content, then write a malicious script and have the previously linked image execute that script any time someone views the image. It helps that the image isn't actually being added to the DOM until someone clicks the URL, but that just means the malicious image won't execute on page load, and it doesn't stop a malicious image in a blog post or story chapter.

It's one thing to allow mixed content on your page. Publicly dismissing the danger of mixed content is something else entirely.

Server Administrator

<img> tags cannot execute client-side code, anything that is not an image is rejected by the browser. Additionally, images are the only resource the browser will allow a https: page to load off an http: domain.

What you are describing is the danger of cross-site resource inclusion, which is an entirely different problem. Additionally, you are describing XSS, not CSRF.

The two things you can do with the image included over http that wouldn't be possible if it was https are:
1. Observe the image being loaded if you can passively snoop on the user's internet connection, possibly identifying which page they loaded based on the URL of the image requested.
2. Replace the image with another image if you can actively modify the user's internet traffic.

I may have phrased that badly; I didn't mean to imply that you'd somehow created a privacy risk, sorry for making it sound like I was

Login or register to comment