Emby Board Improvement

[Painkiller8818 203]

Hi,

I don't wanna be a smartass but i saw on some pages i got a warning triangle with an exclamation mark from the SSL Cert.

This is because of mixed Content (Graphics from non HTTPS Sources)


This could be fixed pretty easy by adding this into the .htaccess:

<IfModule mod_headers.c>
Header always set Content-Security-Policy "upgrade-insecure-requests;"
</IfModule>


This is nothing important but it looks way better and maybe some scared ppl don't think they got redirected or are under attack :P

[ebr 14910]

Hi.  What pages did you see this on?

[Painkiller8818 203]

2 minutes ago, ebr said:

Hi.  What pages did you see this on?

i recorgnized it in this topic:
 

 

[ebr 14910]

Ah, okay, so it is user-provided links in posts causing the issue.

@Abobader, is this something we can modify?

[Painkiller8818 203]

@ebr If you add the above code in the .htaccess it is solved, from whatever source the user is uploading images or linking from.

The users can still link images from non https pages but it won't break the SSL cert.

[bigjohn 655]

It won't show a SSL warning, but the images won't display at all if there is no HTTPS available at the image site. So this doesn't truly solve the problem.

Replacing any links to mediabrowser.tv throughout our forum database is one solution that would address the issue in that particular linked thread, or creating and maintaining another SSL cert to cover the old domain while also enabling the Content-Security-Policy is another.

[Painkiller8818 203]

1 hour ago, bigjohn said:

It won't show a SSL warning, but the images won't display at all if there is no HTTPS available at the image site. So this doesn't truly solve the problem.

Replacing any links to mediabrowser.tv throughout our forum database is one solution that would address the issue in that particular linked thread, or creating and maintaining another SSL cert to cover the old domain while also enabling the Content-Security-Policy is another.

Are you Sure the images won't show up? Because i also have a Board and it is working on mine. 

 

I teste to link or embedd Some images from a non https site and proved there is no https available and the images show up on mine. 

[bigjohn 655]

From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests

Quote

These URLs will be rewritten before the request is made, meaning that no insecure requests will hit the network. Note that, if the requested resource is not actually available via HTTPS, the request will fail without any fallback to HTTP.

And the links in the thread we have been discussing here have an added complication, they point to our server that uses SNI for SSL certs, so when it doesn't find https for that domain it will default to the first configured and that won't match the requested domain of mediabrowser.tv. I've got a redirect on mediabrowser.tv pointing to emby.media, but since the SSL handshake (and associated errors) happens before any redirect, it will still always fail when an HTTPS request is made.

[Abobader 2942]

As bigjohn said, we will see what best solution for this to our best need, and then we apply it.

Thanks @Painkiller8818 for the head up.