Users running a non-download version of Vanilla (pulled from github), on branch release/2019.016 or master from the last 2 weeks should upgrade to release/2019.017 or latest master for security reasons. Downloaded official open sources releases are not affected.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Hard-coded image over http://

This discussion is related to the Vanilla jsConnect addon.

Hi,

JSConnect is hard-coded to pull "usericon_50.png" from "https://images.v-cdn.net/usericon_50.png"; this breaks SSL.

This image should either be relatively loaded from the local plugin, or users should be given a choice as to where this image is loaded from to avoid mixed content errors.

For now, it can be patched by changing the hard-coded value at L83 of class.jsconnect.plugin.php but this should be addressed in future releases.

ptoone

Comments

  • JasonBarnabeJasonBarnabe Cynical Salamander ✭✭
    edited October 2014

    I reported this here. I'd make a pull request to fix it, but I don't know a proper https URL for this.

    peregrinetuoni
  • Ah, sorry - I had looked, but obviously not hard enough.

    To be honest, I don't see why this is loading from a CDN anyway - surely it should either load from the local plugin files or give an option of a URI to point at? Is it worth me adding that option and doing a pull request? Hard-coded paths are bad :(

  • JasonBarnabeJasonBarnabe Cynical Salamander ✭✭

    I don't see why you'd add it as an option, but just including it in the addon seems reasonable to me.

  • Sorry, yes, I meant including a URI textbox for that image in the settings by "that option". Its been a long day :(

  • Thanks, it was not easy getting vanilla to work over ssl.

  • x00x00 MVP
    edited April 2015

    mixed content errors are inevitable on a forum, where people can post things from anywhere.

    grep is your friend.

  • Yes, I am noticing that the twitter profile pics from users that signed up through twitter are not https. It can be fine tuned to work but I think Vanilla should have SSL option.

  • @ptoone said:
    Yes, I am noticing that the twitter profile pics from users that signed up through twitter are not https. It can be fine tuned to work but I think Vanilla should have SSL option.

    It can have an option yes, but I user doesn’t know about secure content when they they post picture. You can't assume there is a secure version of that content, or it is as simple as changing to https.

    On a forum expect mixed content errors.

    grep is your friend.

  • AnonymooseAnonymoose ✭✭
    edited April 2015

    Vanilla seems to like loading things from the cdn, probably as a way to keep track of who is using vanilla. Or maybe they just couldn't be moosed to change those hard coded lines.

Sign In or Register to comment.