godot-asset-library
godot-asset-library copied to clipboard
godotengine
Mixed content warning due to a thumbnail being served over HTTP
See the homepage (as of 2017-11-09): https://godotengine.org/asset-library/asset
If you access the asset library in HTTPS (using a web browser), you'll see a mixed content warning:
This is because an image (here, the thumbnail of the latest submitted asset) is requested using HTTP instead of HTTPS:
Usage of HTTPS for media such as images should probably be enforced to suppress this warning.
Indeed. BTW we should also enforce the redirection of the assetlib itself to HTTPS, there's a login feature so we don't want it to go over HTTP.
Usage of HTTPS for media such as images should probably be enforced to suppress this warning.
I think we should go the route suggested in #83 by uploading the thumbnail to the server instead of asking people to use HTTPS. This would help fix #84 as well...
You've to add that file in your server, its common thing, any resource (client side) which is being added, to the script/markup language will result this,
- I won't recommend uploading image files to the server, if you care those from hackers,
- Better, since it is a small file just 64 x 64, convert those into base64 and use that, base 64 is coded, in ANSI, might eat up more space from the server, but it is the best solution, to be used as image files
I won't recommend uploading image files to the server, if you care those from hackers,
Many techniques exist to make image uploading more secure. It's best to have a separate domain to apply all of these (a subdomain is not enough), but some mitigations can be done without one.
Better, since it is a small file just 64 x 64, convert those into base64 and use that, base 64 is coded, in ANSI, might eat up more space from the server, but it is the best solution, to be used as image files
Base64 is less efficient than binary files and cannot be cached by browsers, so it should be avoided. Besides, we may want to provide 128×128 images for hiDPI displays in the future, making Base64 even less desirable.
Many techniques exist to make image uploading more secure. It's best to have a separate domain to apply all of these (a subdomain is not enough), but some mitigations can be done without.
Facebook hackathon 2018 recently discovered a vulnerability that was caused due to image upload. A backdoor was uploaded, which then hacked the root user of the FACEBOOK LINUX servers. Until you don't have an extremely good Linux Firewall, I would not recommend that to you.
If you have Metasploit with msfconsole installed, then you can see those, how to upload image vulnerability is exploited
Base64 is less efficient than binary files and cannot be cached by browsers, so it should be avoided. Besides, we may want to provide 128×128 images for hiDPI displays in the future, making Base64 even less desirable.
Are you sure, Chromium browsers are open source, just watch the source code of it, you'll see that it converts all png into base64 and then shows them as a content I mean every PNG file, which is either used in img tag or CSS3, is converted to base64, also, I don't know how its that fast or why they do those so? god knows that.
If you have another Server with different Layer/Domain and SSL properly Installed, then there would not be much problem. It's a good idea.