Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Hard-coded image over http://

Hi,

JSConnect is hard-coded to pull "usericon_50.png" from "https://images.v-cdn.net/usericon_50.png"; this breaks SSL.

This image should either be relatively loaded from the local plugin, or users should be given a choice as to where this image is loaded from to avoid mixed content errors.

For now, it can be patched by changing the hard-coded value at L83 of class.jsconnect.plugin.php but this should be addressed in future releases.

Comments

  • JasonBarnabeJasonBarnabe Cynical Salamander ✭✭
    edited October 2014

    I reported this here. I'd make a pull request to fix it, but I don't know a proper https URL for this.

  • Ah, sorry - I had looked, but obviously not hard enough.

    To be honest, I don't see why this is loading from a CDN anyway - surely it should either load from the local plugin files or give an option of a URI to point at? Is it worth me adding that option and doing a pull request? Hard-coded paths are bad :(

  • JasonBarnabeJasonBarnabe Cynical Salamander ✭✭

    I don't see why you'd add it as an option, but just including it in the addon seems reasonable to me.

  • Sorry, yes, I meant including a URI textbox for that image in the settings by "that option". Its been a long day :(

  • Thanks, it was not easy getting vanilla to work over ssl.

  • x00x00 MVP
    edited April 2015

    mixed content errors are inevitable on a forum, where people can post things from anywhere.

    grep is your friend.

  • Yes, I am noticing that the twitter profile pics from users that signed up through twitter are not https. It can be fine tuned to work but I think Vanilla should have SSL option.

  • @ptoone said:
    Yes, I am noticing that the twitter profile pics from users that signed up through twitter are not https. It can be fine tuned to work but I think Vanilla should have SSL option.

    It can have an option yes, but I user doesn’t know about secure content when they they post picture. You can't assume there is a secure version of that content, or it is as simple as changing to https.

    On a forum expect mixed content errors.

    grep is your friend.

  • AnonymooseAnonymoose ✭✭
    edited April 2015

    Vanilla seems to like loading things from the cdn, probably as a way to keep track of who is using vanilla. Or maybe they just couldn't be moosed to change those hard coded lines.

Sign In or Register to comment.