Links to Amazon cause a TLS mixed content warning

Linking to Amazon in a topic causes a mixed content warning when using https, presumably because the thumbnail is loaded from a third party over http.

Would it be possible to load the thumbnail using https instead?

Do you have a public forum? If so, can you provide a link to an article that displays the TLS mixed content issue?

I assume you’re using Amazon for your CDN? Or are you hosting your entire instance out there?

Unfortunately the forum is not public. I’m not using Amazon for hosting, I get this is issue when linking to a book on Amazon, like this:

Now you should get a warning when reading this topic, if you click at the place where normally the padlock is.

This is a known problem.
https://meta.discourse.org/t/download-images-for-oneboxes-as-well-if-download-images-is-set/21103/21?u=gerhard

2 Likes

Ahh, this is a oneboxing issue then and I don’t think there is an easy fix.

For example if you go to: Amazon.com

You’ll notice that it redirects to you HTTP, so I would say that site-wide HTTPS is not possible with Amazon at the moment. Which means the oneboxing code wouldn’t be able to pull in the HTTPS data from Amazon when your page loads.

One work-around is to use the method here:

https://meta.discourse.org/t/dont-load-http-images-when-using-https/27530/4

That thread references a feature request to store the images locally instead of pulling them “in real time” from the oneboxed site:

https://meta.discourse.org/t/download-images-for-oneboxes-as-well-if-download-images-is-set/21103?u=gerhard

This is not really a workaround, because it is not enforceable. A workaround would be disabling oneboxes for non-https content.

1 Like