1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.4 Disabling image proxy for secure images?

Discussion in 'XenForo Questions and Support' started by sudrien, Mar 24, 2015.

  1. sudrien

    sudrien Member

    Admin Home > Options > Messages has the option to proxy images - which I turned on after converting my Xenforo install to HSTS. Because, as the current comments say,
    However - the proxy isn't really needed if images are already served through HTTPS, is it? Shouldn't there be an option to not use the proxy if images are already secure?
  2. Brogan

    Brogan XenForo Moderator Staff Member

    What about members embedding images from non-SSL sites?
  3. sudrien

    sudrien Member

    That's currently working as expected - no browser security errors, lock icon showing by the URL. Though I have got complaints when some people try and copy image URLs.

    It's just the redundant SSL image hosting AND proxy I'd like to avoid.
  4. Brogan

    Brogan XenForo Moderator Staff Member

    So you want the proxy to determine if the image has been embedded using http or https and apply accordingly?

    What if someone embeds an image using https but there isn't a valid certificate?
  5. sudrien

    sudrien Member

    That's correct.

    Well, testing current behavior, using an unsigned certificated on another domain
    • Standard HTML shows it as a broken image, which can be clicked through to see the certificate warning
    • Xenforo proxy pulls the image regardless of the certificate
    Hmm. I'd like to encourage users to use sites with proper SSL certificates, but it's ease of use thing, isn't it.

    I think it would be valid if Xenforo's proxy script were to serve a 301 header - instead of an image - if it were to detect the image were being served with a valid certificate. Probably a new column in an appropriate table, but the potential for fewer images in local cache.
  6. Mike

    Mike XenForo Developer Staff Member

    The proxy is not solely for HTTPS reasons, though that was the main/initial motivation. It can also prevent external servers from getting any information from your visitors (number of times the image is loaded, IP/browser info, etc), prevent them from setting cookies (not on your domain, but something along the cookie stuffing line), and smooth out issues if the external server is flaky. These are all independent of how the image is served (and why using the proxy can be useful on a HTTP site).

    As such, you'd need a modification to change the behavior of the proxy system.

Share This Page