Avoiding use of mixed content

arasbm

I have just found out about nodebb and have been trying to get a bit familiar with it in the last few day. One thing I noticed so far is that this particular installation is served over HTTPS but actually has some non secure content mixed in it. In most browsers this only causes a little notification, but in some versions of Firefox, websites with mixed content are completely blocked. Here are some screenshots:

Some version of Firefox completely block mixedcontent

Chrome seems to show a warning when encountering mixed content

I believe there is an effort to discourage using of mixed content to improve the security of the web. I am not sure if this is a bug with nodebb itself, or just this particular installation, that is why I decided to post here to get some feedback. Are there any plans to address this issue?

frissdiegurke

on the main page it seems that the content Help NodeBB win! (gets shown within a widget sometimes) gets loaded insecure. The devs may change this because there is a secure image on same path.
So this is a problem of this instance.

On some other pages you'll come around insecure content, that may be an image within posts (which NodeBB shoudn't filter, so it's ok).
Also some profile-images on this instance have an insecure reference (for some users who registered in early ages of NodeBB, it won't happen with newer user-images, so it's an instance problem too).

Besides this problems I haven't encountered any mixed content yet (but I may have overseen them since I use chrome where the symbol is decent), so in your own board-instance you'd probably not encounter any mixed content (besides within user-posts).

julian

Thanks for the report @arasbm, and your comments @frissdiegurke. The CMS Critic asset is now requesting via HTTPS, so the mixed use warning should no longer apply.

NodeBB itself does only request protocol-relative assets, although in the case of some older forums, they may be requesting uploaded image assets (avatars) via HTTP, although that is far and few between, and I believe an update to the latest version of NodeBB should handle that nicely.

sanatisharif

@julian Hi we have mixed content error on our forum because of user image uploade

How we can fix this issue?

sanatisharif

@julian see this url please:
https://community.nodebb.org/topic/11555/test-mixed-content

julian

@sanatisharif You will need to have your users re-upload their images.

yariplus

@sanatisharif You can also use nodebb-plugin-camo which will proxy user uploads through https, removing mixed-content warnings.