FriendsOfFlarum Secure HTTPS

IanM

1.0.0

Flarum 1.0 compatibility
Improve http->https proxy by using guzzle
Ensure image compatibility even after extension is disabled. Now uses the textformatter->render

Installation

composer require fof/secure-https:"*"
php flarum cache:clear

neko

i am getting a permission error for users that aren't administrators. is there a setting for this that i am missing?

clarkwinkelmann

neko thanks for the report. This seems to be an oversight on our part during the last Flarum update.

We'll need to fix this in the extension. I have created a GitHub issue with the cause FriendsOfFlarum/secure-https16

IanM

1.1.0

chore: webpack 5 FriendsOfFlarum/secure-https18
fix: Use correct permission for proxy FriendsOfFlarum/secure-https19 (neko )
chore: Use default settings extender FriendsOfFlarum/secure-https20

Updating

composer require fof/secure-https:"*"
php flarum cache:clear

Wellwisher

Great mod. Thanks.

huguadao

The picture preview of the v17development/flarum-blog plug-in has not been proxied

After installing and enabling the v17development/flarum-blog plug-in, the picture preview in the blog list and the header picture of the specific blog page (which is a picture with the list preview) are not proxied, and the picture source of http protocol is not displayed

截屏2022-11-27 11.53.50

截屏2022-11-27 11.51.58

截屏2022-11-27 12.00.20

SKevo

Profile image cannot be uploaded when this extension is enabled on FreeFlarum forums. Console:

Refused to load the image 'blob:https://www.forum.tld/d59515fe-733d-46e7-8730-4e1ef7a0da54' because it violates the following Content Security Policy directive: "img-src https: data:".

index.js:122 Uncaught (in promise) Error: ImageBlobReduce: failed to create Image() from blob
    at t.image.onerror (index.js:122:46)

Disabling the extension solves the issue. No server-side logs. PHP Flarum info:

Flarum core 1.6.2
PHP version: 8.1.2-1ubuntu2.8
MySQL version: 5.5.5-10.9.3-MariaDB-1:10.9.3+maria~ubu2204
Loaded extensions: Core, date, libxml, openssl, pcre, zlib, filter, hash, json, pcntl, Reflection, SPL, session, standard, sodium, mysqlnd, PDO, xml, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, exif, mysqli, pdo_mysql, Phar, posix, readline, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlwriter, xsl, zip, Zend OPcache
+----------------------------------+---------+--------+
| Flarum Extensions                |         |        |
+----------------------------------+---------+--------+
| ID                               | Version | Commit |
+----------------------------------+---------+--------+
| flarum-tags                      | v1.6.1  |        |
| flarum-sticky                    | v1.6.1  |        |
| flarum-suspend                   | v1.6.1  |        |
| fof-pages                        | 1.0.4   |        |
| flarum-flags                     | v1.6.1  |        |
| flarum-markdown                  | v1.6.1  |        |
| v17development-seo               | v1.8.0  |        |
| the-turk-stickiest               | 3.0.1   |        |
| the-turk-flamoji                 | 1.0.4   |        |
| the-turk-diff                    | 1.1.2   |        |
| sycho-profile-cover              | v1.3.3  |        |
| sycho-move-posts                 | v0.1.7  |        |
| migratetoflarum-canonical        | 1.0.0   |        |
| justoverclock-username-blacklist | 0.1.0   |        |
| justoverclock-hashtag            | 1.0.1   |        |
| jslirola-login2seeplus           | v0.2.1  |        |
| ianm-syndication                 | 1.2.2   |        |
| fof-user-directory               | 1.2.3   |        |
| fof-user-bio                     | 1.1.1   |        |
| fof-upload                       | 1.2.3   |        |
| fof-stopforumspam                | 1.2.3   |        |
| fof-split                        | 1.1.0   |        |
| fof-socialprofile                | 1.1.4   |        |
| fof-sitemap                      | 2.0.1   |        |
| fof-secure-https                 | 1.1.0   |        |
| fof-reactions                    | 1.1.3   |        |
| fof-profile-image-crop           | 1.1.0   |        |
| fof-polls                        | 1.3.0   |        |
| fof-nightmode                    | 1.5.1   |        |
| fof-moderator-notes              | 1.1.0   |        |
| fof-merge-discussions            | 1.3.1   |        |
| fof-ignore-users                 | 1.1.0   |        |
| fof-formatting                   | 1.0.2   |        |
| fof-discussion-thumbnail         | 1.1.0   |        |
| fof-default-user-preferences     | 1.2.0   |        |
| fof-default-group                | 1.1.0   |        |
| fof-byobu                        | 1.1.8   |        |
| fof-best-answer                  | 1.2.4   |        |
| fof-bbcode-details               | 1.1.0   |        |
| flarum-subscriptions             | v1.6.1  |        |
| flarum-statistics                | v1.6.1  |        |
| flarum-pusher                    | v1.6.1  |        |
| flarum-mentions                  | v1.6.1  |        |
| flarum-lock                      | v1.6.1  |        |
| flarum-lang-turkish              | 1.12.0  |        |
| flarum-lang-swedish              | 1.1.1   |        |
| flarum-lang-spanish              | 1.5.0   |        |
| flarum-lang-polish               | v1.0.9  |        |
| flarum-lang-italian              | 1.9.0   |        |
| flarum-lang-german               | 1.4.6   |        |
| flarum-lang-french               | v4.4.0  |        |
| flarum-lang-english              | v1.6.0  |        |
| flarum-lang-brazilian            | 1.4.0   |        |
| flarum-emoji                     | v1.6.1  |        |
| flarum-bbcode                    | v1.6.0  |        |
| davwheat-custom-sidenav-links    | 1.0.1   |        |
| datlechin-signup-button          | v0.1.1  |        |
| datlechin-scroll-buttons         | v1.1.0  |        |
| datlechin-keyboard-shortcuts     | v0.1.1  |        |
| askvortsov-rich-text             | v2.1.7  |        |
| askvortsov-pwa                   | v3.1.3  |        |
| askvortsov-moderator-warnings    | v0.6.1  |        |
| askvortsov-markdown-tables       | v1.2.1  |        |
| askvortsov-categories            | v3.0.6  |        |
| acpl-mobile-tab                  | 1.1.1   |        |
+----------------------------------+---------+--------+
Base URL: https://[redacted]
Installation path: /mnt/data-new/host/[redacted]
Queue driver: sync
Session driver: file
Mail driver: smtp
Debug mode: off

clarkwinkelmann

SKevo I'm not sure there will be any good solution to this problem.

Secure HTTPS forces a content security policy on the forum that is very likely to break other extensions, not just avatars.

The easiest "solution" would be to add a toggle to disable the CSP header, but then the forum owner would be responsible for adding their own CSP, which they probably won't do, and therefore negate a big part of this extension security.

Dynamically augmenting the CSP rule based on the set of enabled extensions will likely be too complex to maintain.

I'm not entirely sure where avatars could fail with the current CSP though. The error message suggests the avatar image is being drawn on a canvas. I can think of 2 features that do this: the color-thief implementation that picks the profile page background (happens on every page load, not only avatar change) or the avatar crop extension.

Since I see fof-profile-image-crop in the php flarum info output I would guess that's where the CSP incompatibility lies. I'm not sure which CSP change would be needed for that. I suppose it's opening the uploaded binary data as an image directly and data: doesn't cover it.

SKevo

clarkwinkelmann thank you for the detailed reply! Yes, it seems that Image Crop is incompatible. Perhaps adding blob: after data: in the CSP would help? Anyways, this is not really my field, but hopefully this issue can be fixed in the future somehow...

NateS

Does this extension hit the HTTP image URL every time a client requests it? Or is it only once, when the post is made? I see Loading Image and a spinner, so it appears to be every time a client requests it. Ideally it'd only do it when the post is saved.

I guess enabling the proxy is a security problem -- anyone could use https://forum.example.com/api/fof/secure-https?imgurl= to proxy their images. I think the extension should warn about this!

What do you think about checking the referrer and only serving if it's for the forum? Then at least it can't be abused as easily.

I'd like to change the very RED warning. Could we have a class on the blockquote?

blueCamel

I'm having an issue that I described in that post from another thread: https://discuss.flarum.org/d/32399-inconsistent-display-across-browsers/5

I first did not understand why I was having issues, but once I understood that showing images from an HTTP link in a HTTPS page was only going to be problematic, I put a copy of the files on the Flarum server itself, in a subfolder of the Public folder.

My subfolder's permissions are 755, and the files within are all 644.

I'm running v 1.1.0 of the extension on Flarum 1.6.3

The problematic post can be found here: https://lepointdarret.com/public/d/44-logo-pour-le-forum/12

Below is my php flarum info:

PHP version: 7.4.33
MySQL version: 10.3.37-MariaDB-log-cll-lve
Loaded extensions: Core, date, libxml, openssl, pcre, sqlite3, zlib, bz2, calendar, ctype, curl, hash, filter, ftp, gettext, gmp, SPL, iconv, pcntl, readline, Reflection, session, standard, shmop, SimpleXML, mbstring, tokenizer, xml, i360, bcmath, dba, dom, enchant, fileinfo, gd, imagick, imap, intl, json, ldap, exif, mysqlnd, mysqli, odbc, PDO, pdo_mysql, PDO_ODBC, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, pspell, snmp, soap, sockets, sysvmsg, sysvsem, sysvshm, tidy, timezonedb, xmlreader, xmlrpc, xmlwriter, xsl, zip, clos_ssa
+-------------------------------------+---------+--------+
| Flarum Extensions                   |         |        |
+-------------------------------------+---------+--------+
| ID                                  | Version | Commit |
+-------------------------------------+---------+--------+
| flarum-flags                        | v1.6.1  |        |
| flarum-approval                     | v1.6.1  |        |
| flarum-subscriptions                | v1.6.3  |        |
| flarum-tags                         | v1.6.1  |        |
| flarum-sticky                       | v1.6.1  |        |
| fof-follow-tags                     | 1.1.7   |        |
| flarum-suspend                      | v1.6.1  |        |
| fof-impersonate                     | 1.1.0   |        |
| flarum-lock                         | v1.6.1  |        |
| flarum-likes                        | v1.6.1  |        |
| flarum-markdown                     | v1.6.1  |        |
| zerosonesfun-up                     | 1.0     |        |
| zerosonesfun-expired-posts          | 0.4     |        |
| zerosonesfun-direct-links           | 3.1     |        |
| v17development-seo                  | v1.8.0  |        |
| the-turk-stickiest                  | 3.0.1   |        |
| the-turk-nodp                       | 1.0.1   |        |
| sycho-move-posts                    | v0.1.7  |        |
| sycho-advanced-extension-categories | v0.1.3  |        |
| nearata-login-notification          | 1.0.0   |        |
| nearata-copy-code-to-clipboard      | v2.1.0  |        |
| isamuraii-op-dark-mode-tuning       | 0.2     |        |
| ianm-gravatar                       | 0.2.0   |        |
| ianm-follow-users                   | 1.2.0   |        |
| fof-user-bio                        | 1.1.1   |        |
| fof-subscribed                      | 1.1.2   |        |
| fof-stopforumspam                   | 1.2.3   |        |
| fof-socialprofile                   | 1.1.4   |        |
| fof-sitemap                         | 1.0.3   |        |
| fof-share-social                    | 1.1.2   |        |
| fof-secure-https                    | 1.1.0   |        |
| fof-polls                           | 1.3.0   |        |
| fof-nightmode                       | 1.5.1   |        |
| fof-moderator-notes                 | 1.1.0   |        |
| fof-masquerade                      | 2.1.3   |        |
| fof-linguist                        | 1.1.0   |        |
| fof-ignore-users                    | 1.1.0   |        |
| fof-doorman                         | 1.1.1   |        |
| fof-byobu                           | 1.1.8   |        |
| fof-best-answer                     | 1.2.4   |        |
| flarumtr-mobile-search              | v1.2    |        |
| flarum-statistics                   | v1.6.1  |        |
| flarum-mentions                     | v1.6.3  |        |
| flarum-lang-french                  | v4.6.0  |        |
| flarum-lang-english                 | v1.6.0  |        |
| flarum-emoji                        | v1.6.1  |        |
| flarum-bbcode                       | v1.6.0  |        |
| extiverse-mercury                   | 0.2.0   |        |
| dem13n-topic-starter-label          | 0.1.8   |        |
| datitisev-backup                    | 1.0.2   |        |
| clarkwinkelmann-status              | 1.0.0   |        |
| clarkwinkelmann-mailing             | 1.0.0   |        |
| clarkwinkelmann-lock-likes          | 1.1.1   |        |
| clarkwinkelmann-group-invitation    | 1.0.2   |        |
| clarkwinkelmann-emojionearea        | 1.0.0   |        |
| blomstra-fontawesome                | 0.1.5   |        |
| askvortsov-rich-text                | v2.1.7  |        |
| askvortsov-moderator-warnings       | v0.6.1  |        |
| askvortsov-markdown-tables          | v1.2.1  |        |
| askvortsov-discussion-templates     | v0.8.3  |        |
| askvortsov-checklist                | v1.3.1  |        |
| antoinefr-online                    | v1.0.1  |        |
| acpl-mobile-tab                     | 1.1.1   |        |
+-------------------------------------+---------+--------+
Base URL: https://lepointdarret.com/public
Installation path: /home/accolade/lepointdarret.com
Queue driver: sync
Session driver: file
Mail driver: mail
Debug mode: off```

blueCamel

I moved from php 7.4 to 8.1 and was still having issues.

It would be great to get clarification if this extension is conflicting with the markdown extension and / or the rich text extension. In the meantime, I ended-up de-activating the "proxy images through https" toggle on the extension admin panel.

abczoujin

This can only be displayed on the administrator account. Non administrator accounts and non logged in users cannot view any images, and it is unknown whether this extension conflicts with permission management. After closing this extension, the image will be restored to display

datitisev

1.1.2

Fix proxy only working for admins
Try to make the proxy RegExp potentially break less things (I believe it should still proxy all images it has in the past correctly)
Add 'self' and 'blob:' to image-src CSP
- Fixes incompatibility with fof/profile-image-crop

tom23

@SKevo this update is nice!

SKevo

tom23 updated. Thank you for letting me know! And thanks @datitisev for the update!

« Previous Page Next Page »