Welcome to Codidact Meta!
Codidact Meta is the meta-discussion site for the Codidact community network and the Codidact software. Whether you have bug reports or feature requests, support questions or rule discussions that touch the whole network – this is the site for you.
Some user avatars are referenced over HTTP when the page is loaded over HTTPS, triggering mixed content handling
I noticed that visiting Using accents while staying legible on Writing triggered a mixed content warning in my browser. Another example is How to train readers in Argot or Slang (full disclosure: I have posted an answer to the latter question).
It seems that some user avatars are referred to through http://writing.codidact.com/uploads/...
which then redirects to https://s3.amazonaws.com/storage.qpixel.artofcode.co.uk/...
.
This is a problem because the initial request is for a resource hosted over HTTP, which triggers mixed content handling in the browser.
Even though images aren't considered active content, that's still enough to cause a strictly configured browser to not load them, and it is a potential information leak; especially on pages with multiple user avatars displayed, it would be plausible to piece together which pages are being viewed based on the specific set of user avatars requested.
Such requests should either be explicitly HTTPS, or protocol-relative. (A protocol-relative link is, for example, //writing.codidact.com/uploads/...
; notice that the protocol specification is missing. If the page is loaded over HTTP, this uses HTTP; correspondingly, if the page is loaded over HTTPS, it uses HTTPS.)
Without having analyzed the issue in detail, it appears to me that this is the case for users who have uploaded their own avatars; those served by unicornify.pictures
are correctly requested over HTTPS.
1 comment thread