Duplicate WYSIWYG editor doesn't use image proxy

[PaulB]

Affected version

2.x, 1.5.21

This also applies to 1.x, which is what I'm personally interested, but it seems to be an issue on XenForo.com as well, which I assume uses 2.x.

We're getting CSP reports indicating that when users attempt to embed images in posts using the WYSIWYG editor, the image is loaded directly without using the image proxy. There are several issues with this:

1. The image doesn't necessarily use HTTPS. If the forums use HTTPS, this results in a mixed-content warning. Depending on the browser, the user's settings, and the headers sent by the site, the browser may refuse to load the image, or it may attempt to load the image over HTTPS, which the target site may not support.
2. It's a privacy concern, which is part of the reason for using the image proxy.
3. We're headed in the direction of browsers blocking HTTP requests entirely on pages loaded over HTTPS, regardless of settings/headers.

There's a catch to fixing this: the URL should be subject to basic spam and censor checks before a valid proxy link is returned by the server. If the user can't currently post anyway--for example, due to flooding restrictions--they shouldn't receive a proxy URL. If the URL would be censored or blocked, again, they shouldn't receive a proxy URL. Otherwise, any registered user could more or less arbitrarily proxy any URL.

 

[Mike]

This is a known issue: https://xenforo.com/community/threads/https-and-tinymces-images.109716/ (And likely a rather significant issue to attempt to resolve.)