f3dora Posted December 24, 2016 Share Posted December 24, 2016 Currently the forum software just embeds the profile picture and embedded images in posts. This is a security risk for multiple reasons. 1. The linked website could use this to exploit security bugs in outdated browsers. 2. It is possible to see the IP address of every user who loads the picture (i didn't test this but the browser accesses the image on the original website). 3. The images are (if the link doesn't use https) served over http. By the way, i got an error because my profile picture was served over http, i changed the link to https and when i logged in today i noticed that the image is gone, was it automatically removed because of the https link? UPDATE: Just tried to set a custom profile picture and it just failed without an error when trying to use https link, the image is hosted on "i.imgur.com". Quote Link to comment
RobJ Posted December 24, 2016 Share Posted December 24, 2016 I don't have time at the moment, but I've been told recently somewhere, it's for security reasons that https links don't allow embedded images or videos. Just change the link to http and it will display. Something I found by trial and error was that if I use the youtube embed form, without all the iframe stuff, then it only shows the URL, not the embed. e.g www.youtube.com/embed/xyxyxyxyyxxyxyxyxyxyxy Quote Link to comment
f3dora Posted December 24, 2016 Author Share Posted December 24, 2016 it's for security reasons that https links don't allow embedded images or videos. HTTPS doesn't allow embedded http links. A website can disable/prevent getting embedded as an iframe but it has nothing to do with http/https. Quote Link to comment
RobJ Posted December 24, 2016 Share Posted December 24, 2016 I can see that when I don't have time to fully understand what was being posted, I should keep my mouth shut, until I do have time! Neither of us understood what the other was trying to say, and that's first of all my fault. I tried to be helpful, and make 2 points but both were rushed and poorly expressed. What I should have said was that "it's my understanding that for security reasons the forum software does not allow embedded images and videos using https links to display, but if you make them http links the embedded images and videos are allowed to display". But I'm no longer positive that is the same problem you were posting about. Then, thinking it was relevant, I wanted to expose a trick I found to make URL's display as URL's, not as embedded videos and images, something that is currently really hard to do. But it's not relevant to what you were posting about, so I'll post about it somewhere else. Quote Link to comment
f3dora Posted December 24, 2016 Author Share Posted December 24, 2016 What I should have said was that "it's my understanding that for security reasons the forum software does not allow embedded images and videos using https links to display, but if you make them http links the embedded images and videos are allowed to display". But I'm no longer positive that is the same problem you were posting about. I was posting about it as well (the problem with my profile picture, https links are for some reason blocked or just not embedded) but it has nothing to do with the biggest problem, images are displayed directly/not cached. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.