Forums

RS Companion web browser

Quick find code: 278-279-325-65980875

Pinecone_Gng
Jan Member 2010

Pinecone_Gng

Posts: 3,104Adamant Posts by user Forum Profile RuneMetrics Profile
Any reason why the web browser variant is not HTTPS encrypted? Kind of odd since basically every other login page does have HTTPS encryption? Obviously don't want to be sending my login details over plain text to use it :/.

15-Jan-2018 16:24:12

Spearmint30
Apr Gold Premier Club Member 2012

Spearmint30

Posts: 17,442Opal Posts by user Forum Profile RuneMetrics Profile
Even though the iframe references an SSL, https secured page, the comapp.ws page could easily be secured as well. Browsers are becoming more and more intrusive about unsecured, http pages. You used to have to know to look for the https and SSL "lock" icon in the address bar and now, browsers have a pop-under on each form field on http pages by default.

I've attached a screen shot showing that FireFox does not care that the iframe on the page references an https page:



Since the Companion Web App runs in a frame-based environment anyway, we're talking about securing a single page hosting the iframe. Then again, if later interfaces in the frame aren't secured, we could run into a "Mixed Active Content" scenario with http iframes embedded into an https page. The current login form is being encrypted within the iframe, but we've lost the ability to confirm the secured connection with authentication from the SSL certificate on the server.

The best fix would be to use the already existing login system used on the rest of the site and allow it to hand off the session credentials to the Companion Web App, which means it would pretty much work like the rest of the site in that respect. Not to mention the peace of mind for the end-users.

Granted, this isn't a serious issue, but one the web development team could consider down the road at some point.

EDIT: Wrong formatting...
Spearmint30
|
Taking a long walk on the beach.

16-Jan-2018 05:38:28 - Last edited on 16-Jan-2018 05:41:48 by Spearmint30

Mod Lyon

Mod Lyon

Jagex Moderator Forum Profile Posts by user
Hey,

As has been mentioned all of the login pages on all of our sites use HTTPS. Converting those pages to HTTPS/HTTP2 are goals we have in mind, although have to prioritise other tasks at the moment.

As for the companion app itself, as has already been announced due to mobile this service will shortly be ending and thus we are not going to be spending time on updating any of its services unless there is something significant enough that it requires urgent work.

Thanks,
Mod Lyon
Jagex Web Team

Twitter - @JagexLyon

16-Jan-2018 09:36:32

Pinecone_Gng
Jan Member 2010

Pinecone_Gng

Posts: 3,104Adamant Posts by user Forum Profile RuneMetrics Profile
Understandable. The features within the browser version of the companion are fine, just the page doesn't look "legitimate" I guess when compared to other parts of the site. I know you guys don't plan on really adding anything new it to it, but it may be worth to just add the URL under the companion app section of the site? I think currently it just links to the Google or Apple stores with no real mention or link to the actual web browser version. I'm sure that would only take all of maybe 5 minutes to do. I think everyone knows how easy it is to spoof a login site, and many people look to offical sites to ensure they aren't putting their credentials into a malicous site.

16-Jan-2018 17:13:16

Mod Lyon

Mod Lyon

Jagex Moderator Forum Profile Posts by user
Pinecone_Gng said:
Understandable. The features within the browser version of the companion are fine, just the page doesn't look "legitimate" I guess when compared to other parts of the site. I know you guys don't plan on really adding anything new it to it, but it may be worth to just add the URL under the companion app section of the site? I think currently it just links to the Google or Apple stores with no real mention or link to the actual web browser version. I'm sure that would only take all of maybe 5 minutes to do. I think everyone knows how easy it is to spoof a login site, and many people look to offical sites to ensure they aren't putting their credentials into a malicous site.


The app itself performs as required by Apple and the Google Play store. We've done all we can to ensure customers are safe and are sure where they are entering their data, but there's only so much we can do when adhering to Apple / Google guidelines or impacting on the users experience.

Downloading the app tells the user it was created by 'Jagex Games Studio' to further provide confirmation of security.

Thanks,
Mod Lyon
Jagex Web Team

Twitter - @JagexLyon

17-Jan-2018 09:30:24 - Last edited on 17-Jan-2018 09:32:06 by Mod Lyon

Quick find code: 278-279-325-65980875Back to Top