Mixed content warnings when loading some referrers favicon

[BrookeDot]

My install runs over https, and I noticed a Mixed Content Warning in my browser (Firefox). After some investigation I tracked this down to the favicon of a referrer which used the http protocol. My browser blocked this icon and the default images is shown in the install but wanted to mention it here.

I'm not sure what the best solution is, perhaps checking to see if it can be loaded over https and if not falling back may make the most since but that complicates the logic a bit. Another solution could be to force https but that would surely break some favicons.

[electerious]

I don't think this is problematic. The favicons are just visual enhancements. Ackee is also just guessing that there's a favicon at /favicon.ico which isn't always the case.

Upgrading them to https: Could work, but when the referrer is http then there's a small chance that the site is available via the https (would be a badly configured server in this case).

[BrookeDot]

According to MDN this is type of warning from the browser is known as a passive mixed content warning. The biggest risks appears to be revealing the URL and allowing some tracking of an otherwise private Ackee install to the third-party site:

The attacker could also infer information about the user's activities by watching which images are served to the user; often images are only served on a specific page within a website. If the attacker observes HTTP requests to certain images, they could determine which webpage the user is visiting.

I looked into a few solutions and found a node package favrat as well as some solutions in other languages. It seems in most cases the idea is to cURL the site, see if there's a favicon and you get a 200 response then do something with the icon.

By far the easiest method is to use the Google API but we should keep Google out of Ackee by all means :)
http://s2.googleusercontent.com/s2/favicons?domain_url=http://github.com

Let me know if I can be of any other assistance here.

[electerious]

The solutions aren't very satisfying, so I will stay with the current implementation. I don't think that revealing the URL of the Ackee instance is problematic enough.

[BrookeDot]

Thanks for the update here.

For those running NGINX, the following header can be added to prevent warnings on major browsers:

add_header Content-Security-Policy "block-all-mixed-content";

You can read more about that setting in the MDN article:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content

Chrome/Chromium version 79+ which was released this week will also auto-update insecure request to secure:
https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html

Overall, I totally understand the desire to have the visual of the icon but its not worth it for me to expose even the install URL.