Painkiller8818 203 Posted June 28, 2020 Share Posted June 28, 2020 Hi, I don't wanna be a smartass but i saw on some pages i got a warning triangle with an exclamation mark from the SSL Cert. This is because of mixed Content (Graphics from non HTTPS Sources) This could be fixed pretty easy by adding this into the .htaccess: <IfModule mod_headers.c> Header always set Content-Security-Policy "upgrade-insecure-requests;" </IfModule> This is nothing important but it looks way better and maybe some scared ppl don't think they got redirected or are under attack :P Link to comment Share on other sites More sharing options...
ebr 14910 Posted June 28, 2020 Share Posted June 28, 2020 Hi. What pages did you see this on? Link to comment Share on other sites More sharing options...
Painkiller8818 203 Posted June 28, 2020 Author Share Posted June 28, 2020 2 minutes ago, ebr said: Hi. What pages did you see this on? i recorgnized it in this topic: Link to comment Share on other sites More sharing options...
ebr 14910 Posted June 28, 2020 Share Posted June 28, 2020 Ah, okay, so it is user-provided links in posts causing the issue. @Abobader, is this something we can modify? Link to comment Share on other sites More sharing options...
Painkiller8818 203 Posted June 28, 2020 Author Share Posted June 28, 2020 @ebr If you add the above code in the .htaccess it is solved, from whatever source the user is uploading images or linking from. The users can still link images from non https pages but it won't break the SSL cert. Link to comment Share on other sites More sharing options...
bigjohn 655 Posted June 28, 2020 Share Posted June 28, 2020 It won't show a SSL warning, but the images won't display at all if there is no HTTPS available at the image site. So this doesn't truly solve the problem. Replacing any links to mediabrowser.tv throughout our forum database is one solution that would address the issue in that particular linked thread, or creating and maintaining another SSL cert to cover the old domain while also enabling the Content-Security-Policy is another. Link to comment Share on other sites More sharing options...
Painkiller8818 203 Posted June 28, 2020 Author Share Posted June 28, 2020 1 hour ago, bigjohn said: It won't show a SSL warning, but the images won't display at all if there is no HTTPS available at the image site. So this doesn't truly solve the problem. Replacing any links to mediabrowser.tv throughout our forum database is one solution that would address the issue in that particular linked thread, or creating and maintaining another SSL cert to cover the old domain while also enabling the Content-Security-Policy is another. Are you Sure the images won't show up? Because i also have a Board and it is working on mine. I teste to link or embedd Some images from a non https site and proved there is no https available and the images show up on mine. Link to comment Share on other sites More sharing options...
bigjohn 655 Posted June 29, 2020 Share Posted June 29, 2020 From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests Quote These URLs will be rewritten before the request is made, meaning that no insecure requests will hit the network. Note that, if the requested resource is not actually available via HTTPS, the request will fail without any fallback to HTTP. And the links in the thread we have been discussing here have an added complication, they point to our server that uses SNI for SSL certs, so when it doesn't find https for that domain it will default to the first configured and that won't match the requested domain of mediabrowser.tv. I've got a redirect on mediabrowser.tv pointing to emby.media, but since the SSL handshake (and associated errors) happens before any redirect, it will still always fail when an HTTPS request is made. Link to comment Share on other sites More sharing options...
Abobader 2942 Posted June 29, 2020 Share Posted June 29, 2020 As bigjohn said, we will see what best solution for this to our best need, and then we apply it. Thanks @Painkiller8818 for the head up. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now