Bug 701665 (wh-6875897)

twitter profile image causes mixed content condition on support

VERIFIED FIXED in 2012-03-06

Status

support.mozilla.org
Army of Awesome
P1
normal
VERIFIED FIXED
6 years ago
2 years ago

People

(Reporter: mgoodwin, Assigned: rrosario)

Tracking

unspecified
2012-03-06

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [infrasec:tls] [ws:moderate][wh-6875897] u=contributor c=aoa s=2012.5 p=1 , URL)

(Reporter)

Description

6 years ago
Issue:
Twitter profile images are served over HTTP when the rest of the page is served over HTTPS; this causes browsers to issue mixed content warnings and desensitises users to security warnings on mozilla sites.

Steps to reproduce:
1) Visit https://support.allizom.org/en-US/army-of-awesome?twitter_auth_request=1
2) View source
3) Observe img elements with src attribute set to non HTTPS URL

Resolution:
Is it possible to source the twitter profile images an HTTPS URL?
(Reporter)

Comment 1

6 years ago
It would appear that twitter do serve profile images securely for their own pages; I don't know if there's a supported way for others to do this.
If the URL for the images doesn't change, except in the protocol, we can probably put protocol-relative URLs there.
(Assignee)

Updated

6 years ago
Assignee: nobody → rrosario
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [infrasec:tls] [ws:moderate][wh-6875897] → [infrasec:tls] [ws:moderate][wh-6875897] u=contributor c=aoa s=2012.5 p=1
(Assignee)

Updated

6 years ago
Priority: -- → P3
(Assignee)

Updated

6 years ago
Priority: P3 → P1
(Assignee)

Comment 3

6 years ago
Twitter doesn't seem to support https on their {a0,a1,a2,...}.twimg.com domain. But the Twitter API has a nice endpoint that supports https and http:
https://api.twitter.com/1/users/profile_image/<username>

A protocol-relative URL should work with that \o/
(Assignee)

Comment 4

6 years ago
Snap, the documentation [1] says:

"This method should only be used by application developers to lookup or check the profile image URL for a user. This method must not be used as the image source URL presented to users of your application."


https://dev.twitter.com/docs/api/1/get/users/profile_image/%3Ascreen_name
(Assignee)

Comment 5

6 years ago
Turns out that the API also has a 'profile_image_url_https' field in the JSON response for each tweet.

https://github.com/mozilla/kitsune/commit/85ca508f61a117cdfc284b19e2316a1dd7fefad3
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2012-03-06
Status: RESOLVED → VERIFIED
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.