• Plugin & Theme Dev

    @charles said:

    // www. example. com is better than forcing.

    while i agree with this in principle it won't solve the issue of www.myrandomblogaboutsocks.com only serving content over http. if you try to link http://www.myrandomblogaboutsocks.com/public/images/uploads/mine/some/path/image0457239.png as //www.myrandomblogaboutsocks.com/public/images/uploads/mine/some/path/image0457239.png and you are currently on https, what you'll get is a broken image.

    which is not something users expect.

    i think ultimately the best solution for most forums is to have a whitelist of image hosts to use that support https, inline images via //domain.example.com/path and just leave all other images as links.

    it's not the prettiest nor the best user experience, but i think it strikes a nice balance between ease of implementation, ease of use, and ease of understanding for non technical people.


  • @accalia said:

    www.myrandomblogaboutsocks.com

    Frankly, I clicked this link. 🙂 ( even 4 times to be sure )

    I agree with you. That will be a most transparent way.

    And advanced users can try image proxy ( camo ).

  • Plugin & Theme Dev

    @qgp9 said:

    Frankly, I clicked this link

    hmm.... i'm now tempted to buy the domain name and put a markov chain generated blog there....

    maybe if i remember after i finish getting version 3.0 of SockBot out the door.


  • @accalia said:

    @charles said:

    // www. example. com is better than forcing.

    while i agree with this in principle it won't solve the issue of www.myrandomblogaboutsocks.com only serving content over http. if you try to link http://www.myrandomblogaboutsocks.com/public/images/uploads/mine/some/path/image0457239.png as //www.myrandomblogaboutsocks.com/public/images/uploads/mine/some/path/image0457239.png and you are currently on https, what you'll get is a broken image.

    which is not something users expect.

    i think ultimately the best solution for most forums is to have a whitelist of image hosts to use that support https, inline images via //domain.example.com/path and just leave all other images as links.

    it's not the prettiest nor the best user experience, but i think it strikes a nice balance between ease of implementation, ease of use, and ease of understanding for non technical people.

    the result would be:
    if a visitor visits http site and the image is using // then it will serve the image with http:// url
    if a visitor visits https site and the image is using // then it will serve the image with https:// url

    so using url path without http or https is the advantage.

    am I understanding it incorrectly?

  • Plugin & Theme Dev

    @charles said:

    if a visitor visits https site and the image is using // then it will serve the image with https:// url

    which is a problem if the webserver does not respond to https requests

    if the server supports http and https then the // prefix is correct but if the server only supports http then the // prefix is broken

    🙂

    that was my point. you can't know ahead of time if a random webserver supports both http and https, and https is not yet ubiquitus enough to assume there is https support (but hopefully initiatives such as letsencrypt fix that soon)


  • @accalia once letsencrypt make it easier it should get more people to use ssl. I'm guessing most large sites have ssl so using // should be non issue.

  • Plugin & Theme Dev

    @charles said:

    I'm guessing most large sites have ssl so using // should be non issue.

    but here's the thing. that's guessing, and users, particularly non technical users who post images found on some random blog that only serves via HTTP will complain when the picture works fine on their machine, but is broken when they view it on the forum.

    yes, for the big sites it will mostly be a non issue, but just because the big sites have SSL does not mean that it is by any stretch of the imagination safe to assume that all sites do.

    The thing about making decisions like this is to think of things from the point of view of the end users, and any behavior that breaks their images will be seen as broken by the end users.

    Torvalds was right when he said you do not break userspace (warning: uncouth language ahead. Linus is not known for being subtle nor for being politically correct)

    So, while i agree that the secure connection issue is important it needs to be solved in a way that end users will not perceive as broken.

    of the discussions put forth so far i think the two best solutions are:

    • use of a transparent proxy for unsecure images, such as camo (suggesteb first by @yariplus)
      and
    • use of a plugin that rewrites links for known image hosts to use HTTPS and turns HTTP images into links for non whitelisted domains

    Both of these solutions would offer behavior that removes the Connection Not Secure warning as well as maintaining what end users would consider working behavior.


  • @accalia said:

    use of a transparent proxy for unsecure images, such as camo (suggesteb first by @yariplus)
    and
    use of a plugin that rewrites links for known image hosts to use HTTPS and turns HTTP images into links for non whitelisted domains

    Agree, and why not both.

    • 2nd as default.
    • 1st as option.

  • @charles, @accalia and @qgp9

    nodebb-plugin-camo just got released which should make this whole issue a lot easier to solve. You can find the explanation post here.


  • @lenovouser thanks for sharing! will check it out.

Suggested Topics

| |