• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Forum Avatar

Started by snarked, September 22, 2016, 11:53:37 AM

Previous topic - Next topic

snarked

The Forum Avatar element of a user's profile seems to accept ONLY "http" URLs and NOT "https" URLs.  Please allow the latter.  Why?  Because as the forum operates in HTTPS mode, no referrer field is sent for fetching an external http URL (including images) by most browsers (by default).  This means that if the web site hosting the image protects itself against cross-site bandwidth stealing by using the referrer field, the request for the image will always be denied.

When an HTTPS page is served and the image elements are also requested via HTTPS, the referrer header is sent, thus granting access to the image.


Note the proposed draft RFC that is coming regarding referrer control:  https://w3c.github.io/webappsec/specs/referrer-policy/