Public posts contain secure upload urls for non-secure uploads

A lot of recent posts seem to have uploads with secure upload urls in them despite the uploads themselves not being marked as secure, and a small subset of those uploads also have optimized images with the incorrect acl set. All of the original images have the correct acl in s3.


I am confused, I don’t think we support a “mixed mode” properly @martin ?

When secure uploads are enabled everything should be secured including public posts?


The rules are:

  1. If login_required, everything is marked secure except for public things like site logos, emoji etc.
  2. If it is not, then only uploads in PMs or secure categories are marked secure

I would need to see some examples of this, is it possible that the image URL has just been copied from another post into a new one? I haven’t seen this behaviour before of something getting a secure URL without the underlying upload being secure.


This was one I found (to my knowledge none of the images were hotlinked)

The top image does not have a secure link, but all of the others do (although it gets negated by the public read acl). I’ve noticed that on every other affected post, it’s always the first image that is fine but not the others (posts with only one image are unaffected)

1 Like

Ok so I found another one, although they’re slightly less frequent now.

The images are indeed marked as secure in the database (and were not hotlinked), with the reason access control post dictates security | source: post creator, despite the access control post being a public post that was never edited nor moved.

Like the previous post above, the first image in the post was not marked as secure but all of the others were.

A very similar thing is occurring on a different forum although in this case only the first upload is secure but none of the others.