Offline JSS

  • *
  • Posts: 1618
  • Math is math!
    • View Profile
Built-in profile pictures are not secure.
« on: April 17, 2020, 12:15:00 PM »
I just noticed that all the built-in profile pictures are http and not https links.

Not exactly a world-shattering security hole, but something to fix if it's just editing a script or config line somewhere.

That would keep web browsers from complaining your site is insecure, which likely drives off a small number of people.


Offline xasop

  • Administrator
  • *****
  • Posts: 9745
  • Professional computer somebody
    • View Profile
Re: Built-in profile pictures are not secure.
« Reply #1 on: April 17, 2020, 02:40:12 PM »
It wouldn't keep browsers from complaining about that because plenty of people just link external avatars anyway. We'd need to have SMF copy external avatars so they can be hosted over HTTPS, and I'm not sure if that work is entirely worth it given it's only GET requests for images. Browsers can be so touchy.

Edit: Actually, fixing the built-in ones is probably indeed worthwhile as the cookie for the forum will be sent to such URLs. I didn't realise those were http, given we force SMF to be served only over https. Thanks for raising this, it's time to go garbage diving in SMF code again.
« Last Edit: April 17, 2020, 02:44:19 PM by Parsifal »
when you try to mock anyone while also running the flat earth society. Lol