allow only https:// avatars

Get help with installation and running phpBB 3.1.x here. Please do not post bug reports, feature requests, or extension related questions here.
Ideas Centre
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

NOTE: phpBB 3.1.x is at its End of Life stage and support will NOT be provided after July 1st, 2018.
Locked
User avatar
richey
Registered User
Posts: 608
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

allow only https:// avatars

Post by richey » Sun Mar 27, 2016 1:42 am

Hello,

can anyone advise me where and how to add a few lines of code in order to only allow linking to remote avatars that are stored on secure websites ('https://' in the link)?

thanks,
r.
.

User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 49638
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: allow only https:// avatars

Post by stevemaury » Sun Mar 27, 2016 3:22 am

May I ask what benefit this will have?
For REALLY good and VERY inexpensive hosting CLICK HERE

I can stop all your spam. PM or email me.

All unsolicited PMs will be ignored.

User avatar
richey
Registered User
Posts: 608
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Re: allow only https:// avatars

Post by richey » Sun Mar 27, 2016 7:42 am

Thanks for asking, it's to avoid mixed content.

kind regards,
r.
.

User avatar
John connor
Registered User
Posts: 1791
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: allow only https:// avatars

Post by John connor » Mon Mar 28, 2016 2:23 am

Just to throw this out there in case someone comes across this post. If you use a reverse proxy like Cloudflare, having the option to upload remote avatars will expose your real IP address. Also, using your hosts E-mail using the MX record will show the real IP address as well. I use Google myself. But that can be limited unless you pay for more E-mails.
Last edited by John connor on Wed Feb 01, 2017 8:32 am, edited 1 time in total.

User avatar
richey
Registered User
Posts: 608
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Re: allow only https:// avatars

Post by richey » Thu Mar 31, 2016 1:04 pm

John connor wrote:About mixed content. Do you not allow images to be linked using this code? [img]someimage.com/image.gif[/img]

If so that will create mixed content.
that's exactly what my question is about. I'd like to modify the image URL checking code in order to allow only https:// links here to avoid mixed content caused by embedded remote avatar images.

kind regards,
R
.

User avatar
John connor
Registered User
Posts: 1791
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: allow only https:// avatars

Post by John connor » Fri Apr 01, 2016 7:15 am

But did you read this part?
I use TLS on my site as well, but I'm not worried about mixed content because I know the forum text and logins are encrypted. I ran a network sniffer to verify this loading my site.

User avatar
richey
Registered User
Posts: 608
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Re: allow only https:// avatars

Post by richey » Fri Apr 01, 2016 8:10 am

I'm fully aware of that ;) , but I want that little green locker icon for all pages of my site!
Because to the uninformed user, a board that loads remote images over an insecure connection looks ...well, insecure. :roll: 8-)
I'm currently upgrading all my sites to deliver all content via SSL, only the ones I'm using phpBB forums don't get classified as secure sites....this is annoying. The board software directly supporting that (like by a new option: "[x] allow only SSL links for remote images") or indirectly through a little manual code adjustment in the image checking routine would be most appreciated.
.

User avatar
canonknipser
Registered User
Posts: 1651
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: allow only https:// avatars

Post by canonknipser » Fri Apr 01, 2016 8:30 am

If its only about avatars: Why not disable remote avatars and force your users to upload their avatars to your site? This has also the benefit that your pages don't have to wait for weak loading foreign pages.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
John connor
Registered User
Posts: 1791
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: allow only https:// avatars

Post by John connor » Fri Apr 01, 2016 9:36 am

I know this site uses some kind of proxy that hosts the remote images. They won't say what they use I guess, but you could try doing some Google searching on secure remote image proxy hosting. Or something like phpBB secure remote proxy hosting. I'm interested in this myself, but never looked into it since I'm happy with the board wide announcement I made regarding encryption on the site and how third party content isn't secured. That's the nature of a forum.

First result in Google. viewtopic.php?f=496&t=2271541

Looks really complicated and you more than likely need a VPS or dedicated server. Not a shared server.

User avatar
richey
Registered User
Posts: 608
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Re: allow only https:// avatars

Post by richey » Sat Apr 02, 2016 1:56 pm

Thanks for the link, interesting!

The reason why uploading pictures to my site is not an option is the legal situation in Europe, where you can easily get sued by mafia-like groups of corporate lawyer sharks over copyright issues when storing and thus 'distributing' licensed images on your server ... and I an administrator can't check every image that is uploaded on a daily basis.

Anyway, back to topic :D - having some way of checking image links and requiring https:// links would be fantastic.
.

User avatar
John connor
Registered User
Posts: 1791
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: allow only https:// avatars

Post by John connor » Sun Apr 03, 2016 4:55 am

The only other thing I can think of is some kind of extension that mandates HTTPS for images, or somehow blacklist all image hosting sites except an image hosting site that uses HTTPS.

User avatar
richey
Registered User
Posts: 608
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Re: allow only https:// avatars

Post by richey » Sun Apr 03, 2016 11:48 pm

Yeah, that's exactly what I'm looking for.

thx for your response!
r.
.

Sepp71
Registered User
Posts: 78
Joined: Sat Sep 06, 2008 11:32 pm
Location: Germany

Re: allow only https:// avatars

Post by Sepp71 » Thu Feb 02, 2017 10:47 pm

Has anyone found a solution for this?
Same problem here after switching to https.
Additionally I used to allow external links in signatures ("Ticker") which cause the same problem now, as some of them point to images on http-only-servers.

Sepp

cyrilca
Registered User
Posts: 10
Joined: Thu Jul 09, 2009 1:41 pm
Contact:

Re: allow only https:// avatars

Post by cyrilca » Fri Feb 03, 2017 10:05 am

Your question has already been split into a new topic there ;)
viewtopic.php?f=466&t=2406991

User avatar
richey
Registered User
Posts: 608
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Re: allow only https:// avatars

Post by richey » Sun Apr 16, 2017 3:23 pm

thanks! :)
.

Locked

Return to “[3.1.x] Support Forum”

Who is online

Users browsing this forum: No registered users and 19 guests