Twitter oneboxed content breaking ssl

I just posted a twitter link on my hosted discourse, and the page no longer had a nice ssl lock.

I see this:

Mixed Content: The page at 'https://forum.somedomain.com/t/pricing/43/3' was loaded over HTTPS, but requested an insecure image 'http://pbs.twimg.com/profile_images/518242033811472386/VKcAQvEB_normal.png'. This content should also be served over HTTPS.
2ember.prod:3051 Mixed Content: The page at 'https://forum.somedomain.com/t/pricing/43/3' was loaded over HTTPS, but requested an insecure image 'http://pbs.twimg.com/profile_images/518242033811472386/VKcAQvEB_normal.png'. This content should also be served over HTTPS.
discourse/lib/Markdown.Editor:995 Mixed Content: The page at 'https://forum.somedomain.com/t/pricing/43/3' was loaded over HTTPS, but requested an insecure image 'http://pbs.twimg.com/profile_images/518242033811472386/VKcAQvEB_normal.png'. This content should also be served over HTTPS.
ember.prod:3051 Mixed Content: The page at 'https://forum.somedomain.com/t/pricing/43/3' was loaded over HTTPS, but requested an insecure image 'http://pbs.twimg.com/profile_images/518242033811472386/VKcAQvEB_normal.png'. This content should also be served over HTTPS.

and I know that all the calls to http://pbs.twimg.com could be https://pbs.twimg.com

Is this a fix that the discourse team can pull off? or is it up to the official twitter setup?

2 Likes

Not sure, is this something that could be fixed in the oneboxer @techapj with protocol independent URLs?

Protocol-independent URLs are incorrect here, it should be HTTPS always - Twitter is in the HSTS preload lists.

4 Likes

Fixed via:

https://github.com/discourse/onebox/commit/d5bf777449b639fcbf41f693e995d3533b6bf108

4 Likes