Hurricane Electric's IPv6 Tunnel Broker Forums Specific Topics => Questions & Answers => Topic started by: snarked on September 22, 2016, 11:53:37 AM

Title: Forum Avatar
Post by: snarked on September 22, 2016, 11:53:37 AM
The Forum Avatar element of a user's profile seems to accept ONLY "http" URLs and NOT "https" URLs.  Please allow the latter.  Why?  Because as the forum operates in HTTPS mode, no referrer field is sent for fetching an external http URL (including images) by most browsers (by default).  This means that if the web site hosting the image protects itself against cross-site bandwidth stealing by using the referrer field, the request for the image will always be denied.

When an HTTPS page is served and the image elements are also requested via HTTPS, the referrer header is sent, thus granting access to the image.

Note the proposed draft RFC that is coming regarding referrer control: