• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.4 Disabling image proxy for secure images?

#1
Admin Home > Options > Messages has the option to proxy images - which I turned on after converting my Xenforo install to HSTS. Because, as the current comments say,
Proxying of images is especially important if you are running your site through SSL (HTTPS).
However - the proxy isn't really needed if images are already served through HTTPS, is it? Shouldn't there be an option to not use the proxy if images are already secure?
 
#3
That's currently working as expected - no browser security errors, lock icon showing by the URL. Though I have got complaints when some people try and copy image URLs.

It's just the redundant SSL image hosting AND proxy I'd like to avoid.
 

Brogan

XenForo moderator
Staff member
#4
So you want the proxy to determine if the image has been embedded using http or https and apply accordingly?

What if someone embeds an image using https but there isn't a valid certificate?
 
#5
That's correct.

Well, testing current behavior, using an unsigned certificated on another domain
  • Standard HTML shows it as a broken image, which can be clicked through to see the certificate warning
  • Xenforo proxy pulls the image regardless of the certificate
Hmm. I'd like to encourage users to use sites with proper SSL certificates, but it's ease of use thing, isn't it.

I think it would be valid if Xenforo's proxy script were to serve a 301 header - instead of an image - if it were to detect the image were being served with a valid certificate. Probably a new column in an appropriate table, but the potential for fewer images in local cache.
 

Mike

XenForo developer
Staff member
#6
The proxy is not solely for HTTPS reasons, though that was the main/initial motivation. It can also prevent external servers from getting any information from your visitors (number of times the image is loaded, IP/browser info, etc), prevent them from setting cookies (not on your domain, but something along the cookie stuffing line), and smooth out issues if the external server is flaky. These are all independent of how the image is served (and why using the proxy can be useful on a HTTP site).

As such, you'd need a modification to change the behavior of the proxy system.