search

bangumi / issues

Official issue tracking for Bangumi.tv
https://github.com/bangumi/issues/issues
24 stars 0 forks source link

人物默认头像 URL 错误 #79

Closed Sai closed 2 years ago

Sai commented 2 years ago

这个人物wikii的默认空白头像

<span class="avatarNeue avatarReSize32 ll" style="background-image:url('//lain.bgm.tv/pic/crt/s/')"></span>

在https的协议下会请求 https://lain.bgm.tv/pic/crt/s/

然后会被301到http://bgm.tv/pic/crt/s/ 导致某些请求变为HTTP请求

https://bgm.tv/pic/crt/s/实际上又是一个html的404页面

Originally posted by @Trim21 in https://github.com/bangumi/issues/issues/72#issuecomment-876599811

upsuper commented 2 years ago

这是一个潜在的安全风险,因为 bgm.tv 的所有Cookies都没有标记为 Secure,所以这个额外的HTTP请求会向中间人泄漏所有的Cookies。

upsuper commented 2 years ago

建议至少尽快修正这个https到http的redirect。

Sai commented 2 years ago

Fixed