New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Breaks external HTTP images on HTTPS pages #258
Comments
We do not allow access to non secure pages/content from within a secure site: https://forums.geforce.com |
This is a pretty naive approach. If any site could be made secure just by replacing Blindly replacing |
We may be wrong in assuming that anybody who goes through the trouble of setting a secure site will make sure that its content is equally secure. As I've explained this is how Ghostery currently works. |
@Marat-Tanalin We only check for mixed content when users have Smart Blocking enabled. To your point, it is an opt-in feature. You can disable it by clicking on the blue light-bulb icon in Ghostery. You can see here where we attempt to upgrade the request to https.
As you mentioned, this won't work in all cases but we've decided that the risk of loading insecure content on a secure page outweighs any potential hassle caused by accidentally blocking legitimate site content. Nonetheless, it's an optional feature which users may choose to disable at their discretion. |
Opt-in means disabled by default. Smart Blocking is apparently enabled by default given that images did not load when I tested with a clean Firefox profile with Ghostery just installed and used with default settings. If you’ll decide to keep it enabled by default (which I believe would be a mistake), then it would probably make sense for you at least to consider making it more explicit and clear to user: instead of silently replacing |
Those are all good points. The Smart Blocking feature is a bit of a black box right now. There should be an indicator in the UI explaining what type of requests it's blocking. I'll make a ticket for it. |
Can we add an option to allow mixin plz? Cant continue to use Ghostery because this bug.... |
This issue affects me too, it took me some time to find out the problem is caused by Ghostery. As mentioned by the issuer, this is standards-violating behavior. In cases of user generated content like forums, you cannot assume the site owner always has control that all content is also always served over https. As far as I know, browsers block by default leaking data like referer or https-cookies to http externa connections. I also agree it would be nice if the user is notified if http is replaced by https. |
My two cents: that’s behavior is correct and should stay in place, but to make clear for user that what happens is expected behavior there should be a tip somewhere with link to explanation how much information can be exposed in case this feature will be disabled coz for many people this tech scoop not obvious |
Just ran into this bug - replacing |
Description
Looks like Ghostery started to automatically replace
http
withhttps
(note the s) inIMG
element’ssrc
attribute. This breaks external images located on HTTP sites that don’t have HTTPS version.Tested with a new clean profile with Ghostery installed as the only extension. Disabling Ghostery as an extension via Firefox extension manager does help.
Expected Behavior
Ghostery should not touch regular (not related to trackers or advertisement) images, at least by default. Images should work by default. Such web-incompatible features should be opt-in.
Just replacing
http
withhttps
does not magically make all sites working via HTTPS.Actual Behavior
External (located on a host different from the host the page is located on) HTTP images on HTTPS sites do not load if the external site does not have an HTTPS version.
Steps to Reproduce
Image
is displayed instead of the actual image.Versions
The text was updated successfully, but these errors were encountered: