Closed
Bug 701665
(wh-6875897)
Opened 13 years ago
Closed 12 years ago
twitter profile image causes mixed content condition on support
Categories
(support.mozilla.org :: Army of Awesome, task, P1)
support.mozilla.org
Army of Awesome
Tracking
(Not tracked)
VERIFIED
FIXED
2012-03-06
People
(Reporter: mgoodwin, Assigned: rrosario)
References
()
Details
(Whiteboard: [infrasec:tls] [ws:moderate][wh-6875897] u=contributor c=aoa s=2012.5 p=1 )
Issue: Twitter profile images are served over HTTP when the rest of the page is served over HTTPS; this causes browsers to issue mixed content warnings and desensitises users to security warnings on mozilla sites. Steps to reproduce: 1) Visit https://support.allizom.org/en-US/army-of-awesome?twitter_auth_request=1 2) View source 3) Observe img elements with src attribute set to non HTTPS URL Resolution: Is it possible to source the twitter profile images an HTTPS URL?
Reporter | ||
Comment 1•13 years ago
|
||
It would appear that twitter do serve profile images securely for their own pages; I don't know if there's a supported way for others to do this.
Comment 2•13 years ago
|
||
If the URL for the images doesn't change, except in the protocol, we can probably put protocol-relative URLs there.
Assignee | ||
Updated•12 years ago
|
Assignee: nobody → rrosario
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [infrasec:tls] [ws:moderate][wh-6875897] → [infrasec:tls] [ws:moderate][wh-6875897] u=contributor c=aoa s=2012.5 p=1
Assignee | ||
Updated•12 years ago
|
Priority: -- → P3
Assignee | ||
Updated•12 years ago
|
Priority: P3 → P1
Assignee | ||
Comment 3•12 years ago
|
||
Twitter doesn't seem to support https on their {a0,a1,a2,...}.twimg.com domain. But the Twitter API has a nice endpoint that supports https and http: https://api.twitter.com/1/users/profile_image/<username> A protocol-relative URL should work with that \o/
Assignee | ||
Comment 4•12 years ago
|
||
Snap, the documentation [1] says: "This method should only be used by application developers to lookup or check the profile image URL for a user. This method must not be used as the image source URL presented to users of your application." https://dev.twitter.com/docs/api/1/get/users/profile_image/%3Ascreen_name
Assignee | ||
Comment 5•12 years ago
|
||
Turns out that the API also has a 'profile_image_url_https' field in the JSON response for each tweet. https://github.com/mozilla/kitsune/commit/85ca508f61a117cdfc284b19e2316a1dd7fefad3
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2012-03-06
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Comment 6•8 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•