Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Hard-coded image over http://
tuoni
New
Hi,
JSConnect is hard-coded to pull "usericon_50.png" from "https://images.v-cdn.net/usericon_50.png"; this breaks SSL.
This image should either be relatively loaded from the local plugin, or users should be given a choice as to where this image is loaded from to avoid mixed content errors.
For now, it can be patched by changing the hard-coded value at L83 of class.jsconnect.plugin.php but this should be addressed in future releases.
1
Comments
I reported this here. I'd make a pull request to fix it, but I don't know a proper https URL for this.
Ah, sorry - I had looked, but obviously not hard enough.
To be honest, I don't see why this is loading from a CDN anyway - surely it should either load from the local plugin files or give an option of a URI to point at? Is it worth me adding that option and doing a pull request? Hard-coded paths are bad
I don't see why you'd add it as an option, but just including it in the addon seems reasonable to me.
Sorry, yes, I meant including a URI textbox for that image in the settings by "that option". Its been a long day
Thanks, it was not easy getting vanilla to work over ssl.
mixed content errors are inevitable on a forum, where people can post things from anywhere.
grep is your friend.
Yes, I am noticing that the twitter profile pics from users that signed up through twitter are not https. It can be fine tuned to work but I think Vanilla should have SSL option.
It can have an option yes, but I user doesn’t know about secure content when they they post picture. You can't assume there is a secure version of that content, or it is as simple as changing to https.
On a forum expect mixed content errors.
grep is your friend.
Vanilla seems to like loading things from the cdn, probably as a way to keep track of who is using vanilla. Or maybe they just couldn't be moosed to change those hard coded lines.