search

fossar / selfoss

multipurpose rss reader, live stream, mashup, aggregation web application
https://selfoss.aditu.de
GNU General Public License v3.0
2.36k stars 343 forks source link

Prevent mixed content when using HTTPS #733

Open jbfavre opened 8 years ago

jbfavre commented 8 years ago

Many feeds aren't available in HTTPS. When selfoss is setup with HTTPS, this results in mixed content warning from browser. Default behaviour with decent browser is to block mixed content from loading, which is good for both security & privacy.

I'd like to make feed content, images for example, being rewrited to use a specific selfoss route as a proxy, with something like "https://selfoss.domain.tld/content_proxy/".urlencode(real_url).

Not sure about the best way to achieve it, but I think this might be done with htmLawed, even though I don't know how.

bertptrs commented 8 years ago

+1 on this issue, would really like to see this. A solution would be to indeed parse the html of the document, and re-write all images. Scripts should not be rewritten, because that can be a vector for an XSS attack.

unnikked commented 8 years ago

I solved setting the base_url to https://mydomain.com on config.ini file.

It seems to work also for http feeds.

jtojnar commented 7 years ago

This is what camo is for.