Browse Source

Allow `http:` image URLs if Converse.js is loaded on an insecure origin.

Currently, in order for Converse.js to recognize a pasted URL as an
image, it must be an URL whose protocol is `https:` (`https` in the
URI.js library's notation). This is sensible, but means that any
non-HTTPS image URL is not recognized as a valid URL (and thus will not
be rendered inline, even if `show_images_inline` is set to `true`).

It is important to always check for HTTPS URLs when in a secure context
(i.e., the initial page load was requested via HTTPS) in order to ensure
that non-secured content does not mix with secured content. However, the
inverse is not true: if the original page was loaded over HTTP, then
enforcing HTTPS for images adds arguably no meaningful protection while
also breaking the `show_images_inline` feature for the edge cases where
Converse.js is deployed without HTTPS and a user pastes an HTTP URL.

This patch changes the behavior of the `isImageURL` method such that the
requirement for the pasted URL's protocol to be `https:` is enforced
only when the `window.location.protocol` itself is also `https:`. By
doing this, we ensure that secure origins (i.e., when Converse.js is
loaded over HTTPS initially) are still secured and cannot have non-HTTPS
content introduced to the page via a pasted non-HTTPS URL, however it
also allows non-HTTPS origins to render both HTTP and HTTPS image URLs.
Meitar M 6 năm trước cách đây
mục cha
commit
76bff83ca3
2 tập tin đã thay đổi với 2 bổ sung1 xóa
  1. 1 0
      CHANGES.md
  2. 1 1
      src/utils/html.js

+ 1 - 0
CHANGES.md

@@ -9,6 +9,7 @@
 - Allow setting of debug mode via URL with `/#converse?debug=true`
 - New config setting [locked_muc_domain](https://conversejs.org/docs/html/configuration.html#locked-muc-domain)
 - New config setting [show_client_info](https://conversejs.org/docs/html/configuration.html#show-client-info)
+- Render inline images served over HTTP if Converse itself was loaded on an unsecured (HTTP) page.
 - #1149: With `xhr_user_search_url`, contact requests are not being sent out
 - #1213: Switch roster filter input and icons
 - #1327: fix False mentions positives in URLs and Email addresses

+ 1 - 1
src/utils/html.js

@@ -90,7 +90,7 @@ u.isImageURL = function (url) {
         url = new URI(url);
     }
     const filename = url.filename().toLowerCase();
-    if (url.protocol().toLowerCase() !== "https") {
+    if (window.location.protocol === 'https:' && url.protocol().toLowerCase() !== "https") {
         return false;
     }
     return filename.endsWith('.jpg') || filename.endsWith('.jpeg') ||