Twitter oneboxed content breaking ssl


(Allen - Watchman Monitoring) #1

I just posted a twitter link on my hosted discourse, and the page no longer had a nice ssl lock.

I see this:

Mixed Content: The page at 'https://forum.somedomain.com/t/pricing/43/3' was loaded over HTTPS, but requested an insecure image 'http://pbs.twimg.com/profile_images/518242033811472386/VKcAQvEB_normal.png'. This content should also be served over HTTPS.
2ember.prod:3051 Mixed Content: The page at 'https://forum.somedomain.com/t/pricing/43/3' was loaded over HTTPS, but requested an insecure image 'http://pbs.twimg.com/profile_images/518242033811472386/VKcAQvEB_normal.png'. This content should also be served over HTTPS.
discourse/lib/Markdown.Editor:995 Mixed Content: The page at 'https://forum.somedomain.com/t/pricing/43/3' was loaded over HTTPS, but requested an insecure image 'http://pbs.twimg.com/profile_images/518242033811472386/VKcAQvEB_normal.png'. This content should also be served over HTTPS.
ember.prod:3051 Mixed Content: The page at 'https://forum.somedomain.com/t/pricing/43/3' was loaded over HTTPS, but requested an insecure image 'http://pbs.twimg.com/profile_images/518242033811472386/VKcAQvEB_normal.png'. This content should also be served over HTTPS.

and I know that all the calls to http://pbs.twimg.com could be https://pbs.twimg.com

Is this a fix that the discourse team can pull off? or is it up to the official twitter setup?


Oneboxed http link causes a TLS mixed content warning
(Jeff Atwood) #2

Not sure, is this something that could be fixed in the oneboxer @techapj with protocol independent URLs?


(Kane York) #3

Protocol-independent URLs are incorrect here, it should be HTTPS always - Twitter is in the HSTS preload lists.


(Arpit Jalan) #4

Fixed via:

https://github.com/discourse/onebox/commit/d5bf777449b639fcbf41f693e995d3533b6bf108


(Arpit Jalan) #5