Wordpress plugin receives avatar URL with HTTP protocol if site uses HTTPS and no CDN


#1

Hello! I have a Discourse installation that should only be used over HTTPS. However, since we also serve that forum on a Tor hidden service, we cannot use the “force HTTPS” checkbox in the options menu.

This is normally all well and good, except the Wordpress plugin gets an http url for the “avatar_template” value. I believe this is because discourse/app/serializers/post_wordpress_serializer.rb (and the other wordpress-related serializers) use UrlHelper.absolute object.user.avatar_template. This calls Discourse.base_url_no_prefix if a CDN is not configured (which is not on our site.) As such, the Wordpress plugin attempts to fetch (and embeds) the avatars over HTTP, which is less than ideal. I’m not terribly well versed in Ruby, so if this is completely incorrect I apologize. I can say for certain, however, that the API response from wordpress.json has a value of "avatar_template":"http://forums.whonix.org/letter_avatar_proxy/v2/letter/m/d2c977/{size}.png" even though we have the Discourse URL value in the Wordpress plugin settings as “https://forums.whonix.org

I’m not sure if this is a bug in Discourse or the Wordpress plugin (or perhaps both) but I thought I would post it here. Please redirect me to the appropriate location if this is not it.

If you need additional details, please let me know.


(Jeff Atwood) #2

This is … very bizarre. Either you are https, or you are not, there is no in between magical state.


#3

You’re not wrong, it’s a very strange use case. The reason is that we cannot get TLS certificates for our Tor hidden service currently, so we are forced to run with an HTTP listener explicitly for the hidden service. That being said, when accessing the site of the “regular” Internet, we have HSTS and force redirects to the HTTPS version of the site.

If we use the “force HTTPS” checkbox, the Discourse instance will no longer work properly when accessed via the Tor hidden service.


(Jeff Atwood) #4

This in between state is not something we support.


#5

Fair enough. We’ll find a work around.


(Simon Cossar) #6

A quick and easy solution would be to customize the template functions in wp-discourse so that avatars are not displayed on your website.

Look at the section ‘An example that removes the avatar image from the comments_html template’ and ‘An example that removes the ‘participants’ section’:
WP Discourse template customization