Mixed content due to hotlinked images

Suddenly this morning I noticed the “Your Connection is Insecure” warning icon for our forum in my brower’s address bar. I fairly quickly traced it to the offending images through using “Latest” and then simply checking images people had uploaded. I found 2 images (Oneboxed) that had http links instead of https links. I deleted these and replaced them with just the links themselves. Immediately corrected the problem and we’re back to the green security lock. :grinning: Now I understand why another forum I am a member of also shows the “Connection Insecure” warning… many people had over the years uploaded links from http sites which were Oneboxed. Glad I don’t have to mess with that forum! :wink:

3 Likes

Unless the images are very large, Discourse would download those remote images and make them local in the name of preventing image rot, if your site has default settings. That’s a normal thing in Discourse. This has the additional benefit of also making the images https as well.

6 Likes

We have a paid Discourse and are using the default settings - I’ve changed nothing. The image itself is but 18.5k. The only thing that caused the insecure connection warning was the Onebox with the http link. Once I deleted that, within <2 seconds the lock icon turned back green. The user did upload the saved photo above the Onebox to show it larger. That was fine. I can check to see what the default setting is.

Edit: I checked the defaults for this:
crawl images: (box is checked) Retrieve remote images…
download remote images to local (box is checked) Convert remote images to local images by…

Nothing was changed.

You could try pasting the same image link here, and we could have a look. The only thing I can think of that would prevent local download is if the image is very large.

I just pasted the link and it’s not Oneboxing. I also paste a 2nd link the user used which also did not Onebox - but then I deleted that link as it has her user account number for downloading photos from that website.
Strange that it will not Onebox here. I just created a new reply on our forum, pasted the link - it Oneboxed and the security lock icon immediately changed from green to black with the warning exclamation icon… and the Onebox now shows a broken link for the photo.

http://www.freedigitalphotos.net/images/satellite-and-earth-photo-p234240

Edit: I just received a badge for my first Onebox… that doesn’t show anything but the link here on Meta. :laughing:

That’s weird :thinking:.

@nbianca can you have a look at that once you get back?

1 Like

The first onebox badge has been granted for links that were not oneboxed for so long I thought that was the desired behavior. :roll_eyes:

1 Like

This only happened on my site once I deleted a link that was Oneboxed, but was causing a “insecure” icon in the address bar for our forum. After I posted the link here on Meta, it did not Onebox, but did give me the badge. Another odd thing is that I re-posted the link on my site and now it won’t Onebox it and it shows a “broken link” icon for the photo. I’m beginning to wonder if the original link - which had the original poster’s customer number tacked on the end - no longer Oneboxes because I removed the customer’s ID #. But she had also posted the same photo and link without her ID number in the same post and that did Onebox. This really has me confused. All the other links other people… and the original poster… all have Oneboxed on my site since then. It’s just this one link that caused this incident.
I’ll ask the original poster - a Mod - if she would create a test topic and report her link in there to 1) see if it Oneboxes, and 2) if it causes the “secure” icon in the address bar to change to the “insecure connection” icon again. I’m slightly perplexed. :wink:

edit: I created a hidden topic in the Meta category on our site. I’ve asked the Mod if she would repost her link(s) to that topic (she also has Admin privileges). As soon as she posts, I’ll advise here.

Edit2: Here’s the link my Mod posted in a test topic. It did Onebox and it did cause the lock icon to change to “insecure connection” again. As you can see, it did not Onebox here. It did, however, Onebox on our site where she posted it. I copied the link and posted it in our test topic. It Oneboxed it, but without the photo! As you can see, it did not Onebox here. I think it may have something to do with the tracking cookie they set on my mod’s computer. I don’t have the cookie and the photo won’t show for me when I Onebox the link.

http://www.freedigitalphotos.net/images/satellite-and-earth-photo-p234240

Do you need the link to our test topic? It’s the only hidden topic in our Meta category and it’s at the top of the list. We are a paid subscriber. (forum.nodders.net)

My Mod uploaded and Oneboxed her links again to our Meta category and the "Secure Connection " icon went from green to black with the orange warning icon. I posted (for her) a link from Mozilla (Firefox) regarding the difference between http, https and mixed content because she had said she sees no problem with mixed content. :roll_eyes:

I’m going to delete her links once again to get back to having a secure link to our forum. If you need it posted again, I’ll bother her to re-post them again.

If it doesn’t onebox here, then there’s nothing to do. Is your instance up to date with latest code?

2 Likes

I last checked yesterday and the Dashboard was updated a couple of hours before that. Discourse was updated July 26… to 2.4.0.beta2?
That one link seems to be the only one that causes this. Not sure if it’s tied to my mod’s account on that website, a tracking cookie maybe that gets “lost” when the link is oneboxed? I did delete that link on our site and we’re back to “secure connection” - no mixed content.

The problem was fixed in:

5 Likes

When I posted an external link, it tried to load featured image from the Insecure path, resulted I got mixed content error.

Easy fix

  • Go to /admin/customize

  • Add below code in of all present themes.

<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">

This works in Chrome as far I could test. :hushed:

2 Likes