: User contributed images on a HTTPS site without mixed content warnings I have a forum where, like most forums, users can post images. I've set up HTTPS across the site, but of course most

I have a forum where, like most forums, users can post images. I've set up HTTPS across the site, but of course most external images are linked using HTTP, not HTTPS. So loading the forum over HTTPS shows mixed content warnings, etc.

What are some strategies for tackling this problem? Some of the images are from my own site so I can rewrite those URLs to use HTTPS since I know it will work. But for external URLs many don't work with HTTPS so I can't do a blanket rewrite.

I could rewrite non-secure images to links instead of inline images, but that doesn't look great and may be confusing for users. Any better solutions?

10.02% popularity Vote Up Vote Down

: Browser's auto request detection with X-Purpose 3 to 4 months ago, I found out that safari/chrome/firefox all have feature that automatically send request with X-Purpose header (with preview value

@Cofer257

Posted in: #Browsers #HttpHeaders #WebCrawlers

0 Comments

:

@Cofer257

0 Comments

: Impact of storing image sources into custom data attributes I am working on a project which has a huge amount of images. Some pages reach up to 15MB of images alone. Naturally before even

@Cofer257

Posted in: #GoogleImageSearch #Images #Optimization

1 Comments

:

@Cofer257

0 Comments

Login to post a comment!

2 Comments

Sorted by latest first Latest Oldest Best

@Yeniel560

Just realised that I never posted my solution. The answer provided in Stephen's comment is what solved it for me. In short, I created a proxy script that does the following:

If the image is https, leave it alone.
If the image is http and from a site known to support https (e.g. my own site, imgur.com etc) then rewrite to https.
Otherwise if the image is http, rewrite it to use example.com/imgproxy?img=ORIGINALURL&hash=KEY

Then the proxy script fetches the HTTP image, caches it locally, and outputs the image data. On repeated requests it outputs the cached data directly. The linked SO answer describes the security hash and other details.

10% popularity Vote Up Vote Down

@Debbie626

It's not possible to have insecure resources in a secure page, and not get the mixed content warning.

For user agents that support it, the upgrade-insecure-requests directive is an instruction to attempt to load the resource over https or fail trying.

Other user agents will ignore the directive, continuing to load the insecure resources.

Here is an article on the Google Developers site discussing this and other options.

10% popularity Vote Up Vote Down

Feed

: User contributed images on a HTTPS site without mixed content warnings I have a forum where, like most forums, users can post images. I've set up HTTPS across the site, but of course most

More posts by @Cofer257

: Browser's auto request detection with X-Purpose 3 to 4 months ago, I found out that safari/chrome/firefox all have feature that automatically send request with X-Purpose header (with preview value

:

: Impact of storing image sources into custom data attributes I am working on a project which has a huge amount of images. Some pages reach up to 15MB of images alone. Naturally before even

:

Login to post a comment!

2 Comments

Back to top | Use Dark Theme