godotengine / godot-asset-library

PHP frontend for Godot Engine's asset library
https://godotengine.org/asset-library
MIT License
294 stars 98 forks source link

Mixed content warning due to a thumbnail being served over HTTP #119

Open Calinou opened 6 years ago

Calinou commented 6 years ago

See the homepage (as of 2017-11-09): https://godotengine.org/asset-library/asset

If you access the asset library in HTTPS (using a web browser), you'll see a mixed content warning:

assetlib_mixed_content_warning

This is because an image (here, the thumbnail of the latest submitted asset) is requested using HTTP instead of HTTPS:

assetlib_http_image

Usage of HTTPS for media such as images should probably be enforced to suppress this warning.

akien-mga commented 6 years ago

Indeed. BTW we should also enforce the redirection of the assetlib itself to HTTPS, there's a login feature so we don't want it to go over HTTP.

bojidar-bg commented 6 years ago

Usage of HTTPS for media such as images should probably be enforced to suppress this warning.

I think we should go the route suggested in #83 by uploading the thumbnail to the server instead of asking people to use HTTPS. This would help fix #84 as well...

abhaskumarsinha commented 6 years ago

You've to add that file in your server, its common thing, any resource (client side) which is being added, to the script/markup language will result this,

  1. I won't recommend uploading image files to the server, if you care those from hackers,
  2. Better, since it is a small file just 64 x 64, convert those into base64 and use that, base 64 is coded, in ANSI, might eat up more space from the server, but it is the best solution, to be used as image files
Calinou commented 6 years ago

I won't recommend uploading image files to the server, if you care those from hackers,

Many techniques exist to make image uploading more secure. It's best to have a separate domain to apply all of these (a subdomain is not enough), but some mitigations can be done without one.

Better, since it is a small file just 64 x 64, convert those into base64 and use that, base 64 is coded, in ANSI, might eat up more space from the server, but it is the best solution, to be used as image files

Base64 is less efficient than binary files and cannot be cached by browsers, so it should be avoided. Besides, we may want to provide 128×128 images for hiDPI displays in the future, making Base64 even less desirable.

abhaskumarsinha commented 6 years ago

Many techniques exist to make image uploading more secure. It's best to have a separate domain to apply all of these (a subdomain is not enough), but some mitigations can be done without.

Facebook hackathon 2018 recently discovered a vulnerability that was caused due to image upload. A backdoor was uploaded, which then hacked the root user of the FACEBOOK LINUX servers. Until you don't have an extremely good Linux Firewall, I would not recommend that to you.

If you have Metasploit with msfconsole installed, then you can see those, how to upload image vulnerability is exploited

Base64 is less efficient than binary files and cannot be cached by browsers, so it should be avoided. Besides, we may want to provide 128×128 images for hiDPI displays in the future, making Base64 even less desirable.

Are you sure, Chromium browsers are open source, just watch the source code of it, you'll see that it converts all png into base64 and then shows them as a content I mean every PNG file, which is either used in img tag or CSS3, is converted to base64, also, I don't know how its that fast or why they do those so? god knows that.

If you have another Server with different Layer/Domain and SSL properly Installed, then there would not be much problem. It's a good idea.