search

PerfectlyNormal / tinymce-rails-imageupload

Image upload plugin for TinyMCE and Rails with the asset pipeline
MIT License
148 stars 153 forks source link

Image upload failed inside HTTPS site #71

Closed ldonnet closed 6 years ago

ldonnet commented 8 years ago

Hi,

It's a bit complicated because I don't know if the bug come from this gem or from the javascript library. I use your last version 4.X and when I want to upload image on my https site it fails. However just few days ago I have no problem without https. Perhaps the problem come from the use of http in the url for picture.

Do you have any clues on this behaviour or other people with same problem? Thanks for your time and your work!

Image in app/models : 

class Image < ActiveRecord::Base

  # Accessible attributes
  attr_accessible :file,
                  :alt,
                  :hint

  # Attached files
  has_attached_file :file,
                    :styles => { :tinymce => "800>"},
                    :default_url => ""

  validates_attachment_content_type :file, :content_type => /\Aimage\/.*\Z/
  validates_with AttachmentSizeValidator, attributes: :file, less_than: 1.megabyte
end

TinymceAssetsController in app/controllers

class TinymceAssetsController < ApplicationController
  respond_to :json

  def create
    image = Image.create params.slice(:file, :alt, :hint)

    render json: {
      image: {
          url: image.file.url(:tinymce)
      }
    }, layout: false, content_type: "text/html"

  end

end

Best Regards Luc Donnet

ldonnet commented 8 years ago

I try your demo and use https and not http it seems to work : https://murmuring-lowlands-1342.herokuapp.com/ Do you think it's possible that new commits lead to this bug?

ldonnet commented 8 years ago

The culprit could be breach-mitigation-rails gem. It adds for every https response in text/html a comment : 

{"image":{"url":"https://.../myfile.png"}}
<!-- This is a random-length HTML comment: wxtyykqqulygunbngkintdjpueycxxeponvdjeywomfxihtwrpvqgqlqcyhpjmjcctgrjstvzahxtdudwpfqyojbrmomsllolygonphoatybpoqvdcnjjyckthzofbtfhognohehtasfbwjxhoyhszygjffbhfwfedrkrxhgzstdmhnzewdhrmkcaqejfoekeuehdqxmeyprdvzsvtujfxhksplwvljbtoxwpuqzzchufgvzdaqivdnzurvmznytdhyozopxipubrdpknfabofiwkyadezwdprckbfhqvanjbcbzzuctslbeszkbazhsumyyblnroxfijavypxbnwgfgtmllxwhoeqfidulsyhzhmfmawmikefziuadeaczajorlmqqljfikekenrvfgmbyaklkwssgbwomubdkpvwdbvvpgfjiblurystapkrjvokrivemkapnejkwmgasqdwsekjyoxqgbtdowkzzfvsanrdlpgxluhpuwarhwuemfqahvtwpjsbottznxhqclmelawouqttfawgieotqtdawnnkjkllwimogrkxazuejywoowwrrpyllhwafrubhlwooovxtkiwrllysvdcfgfawmqtjgunwjlmyijphbbiivlgnakmjmcruysaowjjdkznwvpxxcrexxdgzpivldlolcjnzebrmbgzcchysqdfkqzdnxpnfyfalstbunzvvgoznbotjynpivasgittwprguvskshlcathmmqdamfy -->

Why must you use content_type: "text/html" in your json response?

PerfectlyNormal commented 8 years ago

I'm guessing breach-mitigation-rails gem is the "problem" in this case. The real issue is that we have to use text/html and not something more sensible.

I think, if I remember correctly, that earlier versions of Internet Explorer (at least 8 and 9) refused to work with anything other than text/html, trying to download the JSON instead of passing it to the script.

EDIT: Yes, that was the problem.

s-lee-kwong commented 8 years ago

Anyone have a solution to the https problem?

sobrinho commented 6 years ago

The HTTPS is not the problem itself but the breach-mitigation-rails that is messing (as it should) with the text/html responses.

Maybe you can try text/plain response instead, I don't know.

Follow #7 for more on this.