eloquence
commented
6 years ago Fixed in production via a CSP (see https://github.com/eloquence/lib.reviews/commit/ea6d4d6a46cf0e40e2fe057959cd7316b59f6ec9 ); embeds are now upgraded to HTTPS where possible, or ditched otherwise. Would still be nice to show some kind of message in the UI when inserting HTTP images via the RTE.
Mixing HTTP and HTTPS is a bad idea and causes security warnings in modern browsers. Embedding images from external sites is inherently challenging (privacy, archival, etc.), but while we permit it, we should disallow http:// URLs for security reasons.