-
-
Notifications
You must be signed in to change notification settings - Fork 347
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mixed content warnings when loading some referrers favicon #64
Comments
I don't think this is problematic. The favicons are just visual enhancements. Ackee is also just guessing that there's a favicon at Upgrading them to https: Could work, but when the referrer is http then there's a small chance that the site is available via the https (would be a badly configured server in this case). |
According to MDN this is type of warning from the browser is known as a passive mixed content warning. The biggest risks appears to be revealing the URL and allowing some tracking of an otherwise private Ackee install to the third-party site:
I looked into a few solutions and found a node package favrat as well as some solutions in other languages. It seems in most cases the idea is to cURL the site, see if there's a favicon and you get a 200 response then do something with the icon. By far the easiest method is to use the Google API but we should keep Google out of Ackee by all means :) Let me know if I can be of any other assistance here. |
The solutions aren't very satisfying, so I will stay with the current implementation. I don't think that revealing the URL of the Ackee instance is problematic enough. |
Thanks for the update here. For those running NGINX, the following header can be added to prevent warnings on major browsers:
You can read more about that setting in the MDN article: Chrome/Chromium version 79+ which was released this week will also auto-update insecure request to secure: Overall, I totally understand the desire to have the visual of the icon but its not worth it for me to expose even the install URL. |
My install runs over https, and I noticed a Mixed Content Warning in my browser (Firefox). After some investigation I tracked this down to the favicon of a referrer which used the
http
protocol. My browser blocked this icon and the default images is shown in the install but wanted to mention it here.I'm not sure what the best solution is, perhaps checking to see if it can be loaded over
https
and if not falling back may make the most since but that complicates the logic a bit. Another solution could be to force https but that would surely break some favicons.The text was updated successfully, but these errors were encountered: