Security updates live on IFDB

In a recent update to IFDB, we’ve added a Content Security Policy, designed to provide broad defenses against XSS attacks.

The change required updates to almost every part of IFDB, and so it wouldn’t be totally shocking if I broke something while rolling it out.

If you see a new issue, I invite you to reply here, or to file a bug in our suggestion tracker at


Something seems to have gone awry with game tags:

  • Individual game pages aren’t showing me any of a game’s tags. (Whether I’m logged in or not.)
  • While I’m logged in, the “Your tags: - Edit” link on a game page takes me to a page that says “JavaScript Required” This wasn’t the case a few days ago. (Also, tags I know I’ve added aren’t listed.)
  • Things involving tags that still work:
    • The “all tags” pages.
    • Clicking on an individual tag in that tag cloud (to search for games matching a tag) returns results, demonstrating that games do still have the tags, even though they’re not currently shown.
      For instance, clicking on the “crime” tag returns a list including Taco Fiction, but that game’s page does not show the tag “crime”.

Prompted by this, I’ve had a look at other parts of IFDB. Here are some other things I’ve noticed that look broken:

  • The magic that generates links to IFWiki based on IFID no longer seems to be working (whether logged in or not). See for instead Anchorhead: current version and archived version from last month (also demonstrates lack of tags).
    (I have previously noticed the IFWiki link takes a moment to appear, so I guess there’s client-side scripting involved somehow.)
  • Logged in edit-game UI, (compared to my recent memory), seems pretty broken:
    • The various list-like elements (‘Download Links’, ‘Off-Site Reviews’, ‘Cross-References’) do not list existing data, and there’s no UI to add new entries to the lists either (there used to be a button).
      (I don’t know what happens if you click ‘Save Changes’ in this state – might it lose existing data?)
    • The links to helper pop-ups (like ‘Link to author’s profile’) go to the ‘JavaScript Required’ page.
    • ‘Help’ type links (like ‘Formatting Hints’, ‘Help with License Types’) now open a new tab, not a pop-up.
    • ‘Upload a new image’ button is present, but does little (just moves to top of editgame page).
  • Other edit pages, such as, seem broken in similar ways – I’ve not looked at all of them.

While my browser settings are moderately locked-down, these functions were working for me a few days ago, nothing obvious has changed on my end, and this seems more likely to be related to the server-side XSS changes.
(I can re-raise this stuff as GitHub issues, but thought it was worth posting here to confirm it’s not specific to me somehow.)


Another forum user notes that spoiler folds don’t open any more.


Clicking on a news item from a game page also gives the “JavaScript Required” page. (For instance, the ‘Annotated Source’ news item on The Statue Got Me High.)
In this case it’s still possible to view the content by clicking ‘Expand all’ instead.

(I guess many of these will turn out to have a few common root causes, so I’m mainly posting this to add to the set of things to check once fixes have gone in.)


@JTN I’m not reproducing the issues you’re reporting here. Do folks on @IFDB-committee reproduce these issues?

I hypothesize that JTN’s browser has cached an old version of our JavaScript, causing strange issues that I won’t be able to reproduce.

Please try viewing IFDB in a private/incognito browser window. If it works there, that will confirm my suspicions.

I’m going to try to prevent future issues like this in a general way with this PR:

1 Like

I have the same suggestion for @heasm66. Does switching to a private/incognito window fix spoiler tags for you?

1 Like

I’m not reproducing the issues. I’m using the dark theme, if that makes a difference. I see tags and when editing I see the fields as filled in with previous information.

1 Like

I don’t have these problems on my Win 11 x64 w/edge. Or on my iPhone w safari.

I do have two problems, even in a private window:

  • Review embargo defaults to 1/1/1970, which must be manually cleared.
  • Menu and “hamburger” button on mobile don’t work. If I flip to landscape, the buttons in the menu work fine.
1 Like

I still get the problem with the spoiler I linked in my post (TempestDash on De Baron). I’ve tried on my laptop (Firefox, Chrome) both in normal and private mode and Crome and Samsung’s browser on my phone (in both private and normal mode).

1 Like

I just deployed the cache busting PR, as well as a fix for the mobile hamburger menu and the 1970 embargo default.

Try it again now?


Yes to both!


Looks like the spoiler problem is specifically caused by that review being spoilers because it was “flagged” by another user, so it’s probably a different part of the CSS.

1 Like

For the cases where I said an issue occurred “whether logged in or not”, the “not” case was actually in a private window. So, at the time I reported, I’d already demonstrated things like tags being missing happening in a private window.
(I have been using IFDB in the past weeks, so it’s totally plausible that I’d have stuff cached, but hopefully this rules that out.)

Coming back to it now (after your cache-busting change), all is still not well for me, but it’s failing a bit differently. A few details below.

Probably relevant: if I load e.g. the Anchorhead game page with the Developer Tools open, the Console shows a load of Content Security Policy errors (both not-private-logged-in and private-window-logged-out):

Content Security Policy: The page's settings blocked the loading of a resource at inline ("default-src"). viewgame:17:1
Content Security Policy: The page's settings blocked the loading of a resource at inline ("default-src"). viewgame:126:1
Content Security Policy: The page's settings blocked the loading of a resource at inline ("default-src"). viewgame:151:1

So I guess this is some quirk in my browser’s handling of content security policies, but I’m not au fait with those.
(My browser is Firefox 102.13.0esr, from Debian 11. I have the uBlock Origin extension, but it doesn’t claim to be interfering with Reloading a page with uBlock Origin disabled doesn’t make things any better.)

Current failures I see: (basically, much the same as before)

  • Still no tags on viewgame (private window or not).
  • “Edit tags” UI on viewgame is kind of expanded out, like if I had Javascript disabled or similar (private window or not, although details are slightly different).
  • IFWiki link still missing on viewgame (private window or no).
  • editgame (not tried private window) still broken in most of the ways I described, including lacking list-type data, but controls which weren’t present before now appear, but in the same expanded-out broken-looking form. form. (E.g., the first thing on my view of the editgame page is the “Please indicate the copyright status of this image” radio buttons, which normally only show up when editing covers.)
    (Same sort of slew of Content Security Policy errors in console.)
  • editcomp is similarly broken.
  • viewgame News items fail as before. (Private window or no.)
  • De Baron spoiler fold still fails to open. (Plus I now have a bunch of probably-shouldn’t-be-shown UI on the review section of viewgame like “Promote this user”, which was probably supposed to be in a submenu.)
1 Like

Aha! I have reproduced and fixed @JTN’s issue in Firefox ESR 102. (This issue does not affect the latest Firefox 115.)

It looks like we were hitting this bug.

It seems like Firefox doesn’t support nonces in default-src. If you specify the script-src and style-src directives with the necessary sources it should work. I tested this with Firefox 77 and 79.

Our CSP header looked like this:

Content-Security-Policy: default-src 'self' 'nonce-$nonce';

Now it looks like this:

Content-Security-Policy: default-src 'self' 'nonce-$nonce';
    script-src 'self' 'nonce-$nonce';
    style-src 'self' 'nonce-$nonce';

Deploying this change seems to have fixed CSP on Firefox 102 ESR.


Thanks! I thought it might be something of the kind.

I confirm that fixes everything that only I reported.
(The spoiler fold for De Baron, that @heasm66 first reported, still doesn’t work for me.)

1 Like

I’ve fixed the spoiler fold issue on De Baron.

This one was totally my fault. I was only attaching a click handler to the first spoiler tag on a page, and not to later spoilers. :flushed: