Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Forum Avatar  (Read 716 times)

snarked

  • Hero Member
  • *****
  • Posts: 741
Forum Avatar
« on: September 22, 2016, 11:53:37 AM »

The Forum Avatar element of a user's profile seems to accept ONLY "http" URLs and NOT "https" URLs.  Please allow the latter.  Why?  Because as the forum operates in HTTPS mode, no referrer field is sent for fetching an external http URL (including images) by most browsers (by default).  This means that if the web site hosting the image protects itself against cross-site bandwidth stealing by using the referrer field, the request for the image will always be denied.

When an HTTPS page is served and the image elements are also requested via HTTPS, the referrer header is sent, thus granting access to the image.


Note the proposed draft RFC that is coming regarding referrer control:  https://w3c.github.io/webappsec/specs/referrer-policy/
Logged