Avoiding use of mixed content



  • I have just found out about nodebb and have been trying to get a bit familiar with it in the last few day. One thing I noticed so far is that this particular installation is served over HTTPS but actually has some non secure content mixed in it. In most browsers this only causes a little notification, but in some versions of Firefox, websites with mixed content are completely blocked. Here are some screenshots:
    nodebb_community_firefox.png
    Some version of Firefox completely block mixedcontent

    nodebb_chrome_mixedcontent.png
    Chrome seems to show a warning when encountering mixed content

    I believe there is an effort to discourage using of mixed content to improve the security of the web. I am not sure if this is a bug with nodebb itself, or just this particular installation, that is why I decided to post here to get some feedback. Are there any plans to address this issue?


  • Plugin & Theme Dev

    on the main page it seems that the content Help NodeBB win! (gets shown within a widget sometimes) gets loaded insecure. The devs may change this because there is a secure image on same path.
    So this is a problem of this instance.

    On some other pages you'll come around insecure content, that may be an image within posts (which NodeBB shoudn't filter, so it's ok).
    Also some profile-images on this instance have an insecure reference (for some users who registered in early ages of NodeBB, it won't happen with newer user-images, so it's an instance problem too).

    Besides this problems I haven't encountered any mixed content yet (but I may have overseen them since I use chrome where the symbol is decent), so in your own board-instance you'd probably not encounter any mixed content (besides within user-posts).


  • Admin

    Thanks for the report @arasbm, and your comments @frissdiegurke. The CMS Critic asset is now requesting via HTTPS, so the mixed use warning should no longer apply.

    NodeBB itself does only request protocol-relative assets, although in the case of some older forums, they may be requesting uploaded image assets (avatars) via HTTP, although that is far and few between, and I believe an update to the latest version of NodeBB should handle that nicely.



  • @julian Hi we have mixed content error on our forum because of user image uploade

    How we can fix this issue?




  • Admin

    @sanatisharif You will need to have your users re-upload their images.


  • Community Rep

    @sanatisharif You can also use nodebb-plugin-camo which will proxy user uploads through https, removing mixed-content warnings.


 

Suggested Topics

  • 2
  • 5
  • 7
  • 4
  • 24
| |