allow only https:// avatars

Get help with installation and running phpBB 3.1.x here. Please do not post bug reports, feature requests, or extension related questions here.
Ideas Centre
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

NOTE: phpBB 3.1.x is at its End of Life stage and support will NOT be provided after July 1st, 2018.
Locked
User avatar
richey
Registered User
Posts: 636
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

allow only https:// avatars

Post by richey »

Hello,

can anyone advise me where and how to add a few lines of code in order to only allow linking to remote avatars that are stored on secure websites ('https://' in the link)?

thanks,
r.
.
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 52767
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: allow only https:// avatars

Post by stevemaury »

May I ask what benefit this will have?
I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
User avatar
richey
Registered User
Posts: 636
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Re: allow only https:// avatars

Post by richey »

Thanks for asking, it's to avoid mixed content.

kind regards,
r.
.
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: allow only https:// avatars

Post by 2600 »

Just to throw this out there in case someone comes across this post. If you use a reverse proxy like Cloudflare, having the option to upload remote avatars will expose your real IP address. Also, using your hosts E-mail using the MX record will show the real IP address as well. I use Google myself. But that can be limited unless you pay for more E-mails.
Last edited by 2600 on Wed Feb 01, 2017 8:32 am, edited 1 time in total.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
richey
Registered User
Posts: 636
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Re: allow only https:// avatars

Post by richey »

John connor wrote:About mixed content. Do you not allow images to be linked using this code? [img]someimage.com/image.gif[/img]

If so that will create mixed content.
that's exactly what my question is about. I'd like to modify the image URL checking code in order to allow only https:// links here to avoid mixed content caused by embedded remote avatar images.

kind regards,
R
.
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: allow only https:// avatars

Post by 2600 »

But did you read this part?
I use TLS on my site as well, but I'm not worried about mixed content because I know the forum text and logins are encrypted. I ran a network sniffer to verify this loading my site.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
richey
Registered User
Posts: 636
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Re: allow only https:// avatars

Post by richey »

I'm fully aware of that ;) , but I want that little green locker icon for all pages of my site!
Because to the uninformed user, a board that loads remote images over an insecure connection looks ...well, insecure. :roll: 8-)
I'm currently upgrading all my sites to deliver all content via SSL, only the ones I'm using phpBB forums don't get classified as secure sites....this is annoying. The board software directly supporting that (like by a new option: "[x] allow only SSL links for remote images") or indirectly through a little manual code adjustment in the image checking routine would be most appreciated.
.
User avatar
canonknipser
Registered User
Posts: 2096
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: allow only https:// avatars

Post by canonknipser »

If its only about avatars: Why not disable remote avatars and force your users to upload their avatars to your site? This has also the benefit that your pages don't have to wait for weak loading foreign pages.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: allow only https:// avatars

Post by 2600 »

I know this site uses some kind of proxy that hosts the remote images. They won't say what they use I guess, but you could try doing some Google searching on secure remote image proxy hosting. Or something like phpBB secure remote proxy hosting. I'm interested in this myself, but never looked into it since I'm happy with the board wide announcement I made regarding encryption on the site and how third party content isn't secured. That's the nature of a forum.

First result in Google. viewtopic.php?f=496&t=2271541

Looks really complicated and you more than likely need a VPS or dedicated server. Not a shared server.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
richey
Registered User
Posts: 636
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Re: allow only https:// avatars

Post by richey »

Thanks for the link, interesting!

The reason why uploading pictures to my site is not an option is the legal situation in Europe, where you can easily get sued by mafia-like groups of corporate lawyer sharks over copyright issues when storing and thus 'distributing' licensed images on your server ... and I an administrator can't check every image that is uploaded on a daily basis.

Anyway, back to topic :D - having some way of checking image links and requiring https:// links would be fantastic.
.
User avatar
2600
I've Been Banned!
Posts: 2567
Joined: Fri Nov 14, 2014 5:14 pm
Location: Area-51

Re: allow only https:// avatars

Post by 2600 »

The only other thing I can think of is some kind of extension that mandates HTTPS for images, or somehow blacklist all image hosting sites except an image hosting site that uses HTTPS.
Morpheus: Unfortunately, no one can be told what The Matrix is. You'll have to see it for yourself.
Hack me.
Consider a canary token.
The nature of my chosen username
:ugeek:
User avatar
richey
Registered User
Posts: 636
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Re: allow only https:// avatars

Post by richey »

Yeah, that's exactly what I'm looking for.

thx for your response!
r.
.
Sepp71
Registered User
Posts: 84
Joined: Sat Sep 06, 2008 11:32 pm
Location: Germany

Re: allow only https:// avatars

Post by Sepp71 »

Has anyone found a solution for this?
Same problem here after switching to https.
Additionally I used to allow external links in signatures ("Ticker") which cause the same problem now, as some of them point to images on http-only-servers.

Sepp
cyrilca
Registered User
Posts: 12
Joined: Thu Jul 09, 2009 1:41 pm
Contact:

Re: allow only https:// avatars

Post by cyrilca »

Your question has already been split into a new topic there ;)
viewtopic.php?f=466&t=2406991
User avatar
richey
Registered User
Posts: 636
Joined: Mon Feb 18, 2002 4:26 pm
Location: now@Cyberspace
Contact:

Re: allow only https:// avatars

Post by richey »

thanks! :)
.
Locked

Return to “[3.1.x] Support Forum”