Painkiller88 248 Posted June 28, 2020 Posted June 28, 2020 Hi, I don't wanna be a smartass but i saw on some pages i got a warning triangle with an exclamation mark from the SSL Cert. This is because of mixed Content (Graphics from non HTTPS Sources) This could be fixed pretty easy by adding this into the .htaccess: <IfModule mod_headers.c> Header always set Content-Security-Policy "upgrade-insecure-requests;" </IfModule> This is nothing important but it looks way better and maybe some scared ppl don't think they got redirected or are under attack :P
Painkiller88 248 Posted June 28, 2020 Author Posted June 28, 2020 2 minutes ago, ebr said: Hi. What pages did you see this on? i recorgnized it in this topic:
ebr 16169 Posted June 28, 2020 Posted June 28, 2020 Ah, okay, so it is user-provided links in posts causing the issue. @Abobader, is this something we can modify?
Painkiller88 248 Posted June 28, 2020 Author Posted June 28, 2020 @ebr If you add the above code in the .htaccess it is solved, from whatever source the user is uploading images or linking from. The users can still link images from non https pages but it won't break the SSL cert.
bigjohn 753 Posted June 28, 2020 Posted June 28, 2020 It won't show a SSL warning, but the images won't display at all if there is no HTTPS available at the image site. So this doesn't truly solve the problem. Replacing any links to mediabrowser.tv throughout our forum database is one solution that would address the issue in that particular linked thread, or creating and maintaining another SSL cert to cover the old domain while also enabling the Content-Security-Policy is another.
Painkiller88 248 Posted June 28, 2020 Author Posted June 28, 2020 1 hour ago, bigjohn said: It won't show a SSL warning, but the images won't display at all if there is no HTTPS available at the image site. So this doesn't truly solve the problem. Replacing any links to mediabrowser.tv throughout our forum database is one solution that would address the issue in that particular linked thread, or creating and maintaining another SSL cert to cover the old domain while also enabling the Content-Security-Policy is another. Are you Sure the images won't show up? Because i also have a Board and it is working on mine. I teste to link or embedd Some images from a non https site and proved there is no https available and the images show up on mine.
bigjohn 753 Posted June 29, 2020 Posted June 29, 2020 From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests Quote These URLs will be rewritten before the request is made, meaning that no insecure requests will hit the network. Note that, if the requested resource is not actually available via HTTPS, the request will fail without any fallback to HTTP. And the links in the thread we have been discussing here have an added complication, they point to our server that uses SNI for SSL certs, so when it doesn't find https for that domain it will default to the first configured and that won't match the requested domain of mediabrowser.tv. I've got a redirect on mediabrowser.tv pointing to emby.media, but since the SSL handshake (and associated errors) happens before any redirect, it will still always fail when an HTTPS request is made.
Abobader 3464 Posted June 29, 2020 Posted June 29, 2020 As bigjohn said, we will see what best solution for this to our best need, and then we apply it. Thanks @Painkiller8818 for the head up. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now