If a package has an icon with an http:// url it is used on https:// pages and browser reports the page as insecure

[edyoung]

Repro: open https://www.powershellgallery.com/packages/Daterpillar.Automation/4.8.8

Observe in browser toolbar the page is shown as 'not secure'. That's because the page fetches datapiller.png via HTTP.

Should we use https? In this case the image is not fetchable via http but maybe that's still preferable.

[bormm]

So whats the exact issue here? I took a look at the page and the nupkg: The package explicit owner specified "http" for the url of the icon and that url is used and the browser correctly mentions that the page uses insecure-http parts. So anything is working correctly. Do you request that powershellgallery should not show any icon if you access via https and the icon is only http? Why would that be an improvement?

I personally would close this, as it is no issue that powershellgallery can fix. The only thing that could be done is a validation step within the publishing process and disallow submitting nupkgs containing a http url with an image. But that would be a new feature I think.