Whitelist to allow onebox only with https domains?

(Keith) #1

I’m curious if there’s a way to whitelist only from https domains?

The problem:
I’m using Discourse for an extremely visual community, and have a ton of hesitations about my disk usage if I enable self-hosting of images (I’d rather let hosting sites solve storage and CDN problems for me). Allowing users to post content from other sites has been going well, with the exception of http vs https links. Is there an easy way I can prevent onebox (and warn users) from accepting links from non-https domains?

(Stephen) #2

If you’re talking about hotlinking images from other servers be warned that a lot of third party sites explicitly prohibit this. Even if they don’t put a technical block in place the image could later disappear because of technical changes at the other end.

Those are almost the best case scenario too. If a site owner realises you’re using their disk space and bandwidth, it’s not unheard of for them to replace or redirecting all of the requests to “unsavory” pictures.

This is why Discourse will automatically download any images linked within posts. Image links aren’t oneboxed at all, they will be served from the remote server only until Discourse gets around to downloading a copy and updating the URL to a local link.

(Rafael dos Santos Silva) #3

Using Digital Ocean Spaces will give you 250GB of image hosting per $5 a month. Enabling that + the Discouse download remote images to local setting can give you a very fast experience, while allowing users to add images from anywhere that are automatically fixed.

(Keith) #4

I think you’re forgetting about the entire section of the internet dedicated to hosting and delivering content. Giphy, Imgur, youtube, vimeo, etc. Additionally, almost all of the content our users are posting are from their own portfolio websites, either self hosted, or once again on content delivery platforms (art station, medium, etc)

Is that true even when this flag is unchecked?

Yes, I’m aware of the various ways that I can self host. That $5 when combined with CDN fees, stored for perpetuity combined with exponential growth of users and content doesn’t lead down a path that I’m interested in pursuing without exploring other options.

I appreciate both of your responses, but neither of you actually addressed the question I’ve asked:

I know I can whitelist only explicit domains, but I’m curious if it’s possible to set to allow any https domain.

(Stephen) #5

You’re asking about oneboxing, but as I said:

If a user directly links to an image from one of the services you mentioned:

There is no onebox.

Plus, Oneboxes are cached for 24 hours, I’ve not seen clarification either way as to whether unchecking that box disables the caching of the image asset explicitly, I’ve only seen it employed for image embeds. I guess it’s something you can go off and test though.

(Keith) #6

Ah, thank you so much for the clarification.I was mis-understanding the process used for displaying the images pasted as urls into a message (I’d assumed this was still a part of the onebox process)

So If I understand this correctly now, you’re saying that anytime I paste an image url from a site (say imgur), it pulls it and self hosts on my server (i.e. not a hotlink)?

What I’m trying to avoid are mixed content warnings/error messages from security audits of the site - currently users are pasting links without the https , even though their domain does have a valid ssl cert. I assumed that these were hotlinking, and thus causing the mixed content error messages

(Stephen) #7

Yes, if a user pastes a direct image URL with HTTP specified with that box unchecked it will link an insecure resource, but that’s not oneboxing. It’s just an embedded image. That’s part of why the downloading of external resources is usually preferable.

Oneboxing is the rich embed of external content:

The former onebox URL is http, the latter https.