No images shown with HTTPS-only mode enabled in Firefox

[iissmart 0]

Firefox 119.0 on Kubuntu 22.04 desktop, emby server 4.8.7.0 running on Ubuntu 22.04 server. Emby Premiere license.

With HTTPS-only mode enabled in Firefox, and when accessing my server via https://app.emby.media, I don't see any show images under Recordings, TV Shows, Movies, or Live TV. Opening a TV show shows the background image of the show, but no rectangular banner (just empty space where it would be).

With HTTPS-only mode disabled, but still accessing my server via https://app.emby.media, all images load as expected. I can literally just toggle the HTTP-only mode, then refresh the https://app.emby.media tab, and see the images appear or disappear based on the HTTPS-only setting.

Oddly enough, with HTTPS-only mode enabled, but an exception added for the app.emby.media domain, the images still don't load. I expected them to load with the exception added...maybe they load from a different domain?

Images also load with HTTPS-only mode enabled, when browsing directly to my server using the external address of https://example.com:8920/ (using the real domain name) or http://192.168.x.y:8096/ (using the real internal IP address).

I'd like to keep the HTTPS-only mode setting enabled in Firefox, but I'd be OK with adding an exception if that could work somehow as well. Any idea why HTTPS-only mode doesn't work, or what needs to be added for the exception to work?

Edited May 26, 2024 by iissmart

[Luke 42077]

Hi, if I had to guess, the hosted web app is probably connecting using your lan address? 

[iissmart 0]

18 minutes ago, Luke said:

Hi, if I had to guess, the hosted web app is probably connecting using your lan address? 

Good idea, that made me think of another test. I've been testing on the same network as the server thus far. When I put the client outside the network (on my phone hotspot in this case), and try to access https://app.emby.media with HTTPS-only mode enabled, it loads the images!

So if the web app is somehow connecting using my lan address, you'd think I could add that address to the exception list and have it work, but that doesn't seem to change anything. I've added every possible name I can think of, as well as the internal IP address, to the exception list but it still won't load images while on the internal network.

Is it normal to have the web app connect using the lan address like that? Is it connecting over HTTP even though the web app itself is over HTTPS? Can I change that behavior?

Edited May 26, 2024 by iissmart

[Luke 42077]

Quote

Is it normal to have the web app connect using the lan address like that? Can I change that behavior?

it tries to use the lan address and then switches to wan when that is unreachable. That is what the vast majority of users need and there is currently no way to prevent that. That's not to say that we couldn't add something, but that there's no way right now.

Have you checked the firefox debug console while testing this?

[iissmart 0]

Just checked the firefox debug console, and yes it shows that it's accessing the lan address when trying to retrieve the images.

Mixed Content: Upgrading insecure display request ‘http://192.168.x.y:8096/emby/Items/22530/Images/Primary?maxHeight=298&maxWidth=198&tag=abcd&quality=90’ to use ‘https’

I guess it probably can't try accessing the lan address over HTTPS since the certificate wouldn't match the address.

It's still odd that putting that 192.168.x.y address into the exception list doesn't cause it to work. Maybe there's some other setting in firefox about how to handle mixed content like this?

[Lessaj 467]

Try adding the exception as http://192.168.x.y:8096

[iissmart 0]

23 minutes ago, Lessaj said:

Try adding the exception as http://192.168.x.y:8096

Didn't fix it unfortunately.

I'm looking at the security.mixed_content.upgrade_display_content and security.mixed_content.upgrade_display_content.image settings in firefox, which seem to fix it when one or both are off, but these are global settings and not per-site so I'm not comfortable with keeping these disabled permanently.

I think the solution is to somehow have the web app access the images either using the lan address over HTTPS, or have it always use the remote address (over HTTPS) even if the local address is available, to avoid mixed content.

[Happy2Play 9780]

Sounds like CORS issue.

See the top section of this how to on browser flags.

 

[Luke 42077]

3 hours ago, iissmart said:

Just checked the firefox debug console, and yes it shows that it's accessing the lan address when trying to retrieve the images.

Mixed Content: Upgrading insecure display request ‘http://192.168.x.y:8096/emby/Items/22530/Images/Primary?maxHeight=298&maxWidth=198&tag=abcd&quality=90’ to use ‘https’

I guess it probably can't try accessing the lan address over HTTPS since the certificate wouldn't match the address.

It's still odd that putting that 192.168.x.y address into the exception list doesn't cause it to work. Maybe there's some other setting in firefox about how to handle mixed content like this?

Are the data requests using https?

[iissmart 0]

14 hours ago, Luke said:

Are the data requests using https?

I think I see two sets of requests. First there is a set of requests for http://192.168.x.y:8096, looks like that succeeds but with an insecure icon (lock icon with a red slash through it), then another set of requests for https://192.168.x.y:8096 that fail with NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_SECURITY, SSL_ERROR_RX_RECORD_TOO_LONG).

[Lessaj 467]

Yea it's trying to use https on port 8096 but that won't work since that listener only responds to http requests, it needs to be using 8920 if it's going to try https, so you might just want to connect to the server on 8920 instead which is always https.