Home Explore Help
Register Sign In
im-changing.ru
/
converse.js
mirror of https://github.com/conversejs/converse.js.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Allow `http:` image URLs if Converse.js is loaded on an insecure origin.

Currently, in order for Converse.js to recognize a pasted URL as an
image, it must be an URL whose protocol is `https:` (`https` in the
URI.js library's notation). This is sensible, but means that any
non-HTTPS image URL is not recognized as a valid URL (and thus will not
be rendered inline, even if `show_images_inline` is set to `true`).

It is important to always check for HTTPS URLs when in a secure context
(i.e., the initial page load was requested via HTTPS) in order to ensure
that non-secured content does not mix with secured content. However, the
inverse is not true: if the original page was loaded over HTTP, then
enforcing HTTPS for images adds arguably no meaningful protection while
also breaking the `show_images_inline` feature for the edge cases where
Converse.js is deployed without HTTPS and a user pastes an HTTP URL.

This patch changes the behavior of the `isImageURL` method such that the
requirement for the pasted URL's protocol to be `https:` is enforced
only when the `window.location.protocol` itself is also `https:`. By
doing this, we ensure that secure origins (i.e., when Converse.js is
loaded over HTTPS initially) are still secured and cannot have non-HTTPS
content introduced to the page via a pasted non-HTTPS URL, however it
also allows non-HTTPS origins to render both HTTP and HTTPS image URLs.
Meitar M 6 years ago
parent
ed9d2a2526
commit
76bff83ca3
2 changed files with 2 additions and 1 deletions
Split View Show Diff Stats
  1. 1 0
      CHANGES.md
  2. 1 1
      src/utils/html.js

+ 1 - 0
CHANGES.md
View File 

@@ -9,6 +9,7 @@
 
 - Allow setting of debug mode via URL with `/#converse?debug=true`
 
 - New config setting [locked_muc_domain](https://conversejs.org/docs/html/configuration.html#locked-muc-domain)
 
 - New config setting [show_client_info](https://conversejs.org/docs/html/configuration.html#show-client-info)
 
+- Render inline images served over HTTP if Converse itself was loaded on an unsecured (HTTP) page.
 
 - #1149: With `xhr_user_search_url`, contact requests are not being sent out
 
 - #1213: Switch roster filter input and icons
 
 - #1327: fix False mentions positives in URLs and Email addresses

+ 1 - 1
src/utils/html.js
View File 

@@ -90,7 +90,7 @@ u.isImageURL = function (url) {
 
         url = new URI(url);
 
     }
 
     const filename = url.filename().toLowerCase();
 
-    if (url.protocol().toLowerCase() !== "https") {
 
+    if (window.location.protocol === 'https:' && url.protocol().toLowerCase() !== "https") {
 
         return false;
 
     }
 
     return filename.endsWith('.jpg') || filename.endsWith('.jpeg') ||