-
Meitar M authored
Currently, in order for Converse.js to recognize a pasted URL as an image, it must be an URL whose protocol is `https:` (`https` in the URI.js library's notation). This is sensible, but means that any non-HTTPS image URL is not recognized as a valid URL (and thus will not be rendered inline, even if `show_images_inline` is set to `true`). It is important to always check for HTTPS URLs when in a secure context (i.e., the initial page load was requested via HTTPS) in order to ensure that non-secured content does not mix with secured content. However, the inverse is not true: if the original page was loaded over HTTP, then enforcing HTTPS for images adds arguably no meaningful protection while also breaking the `show_images_inline` feature for the edge cases where Converse.js is deployed without HTTPS and a user pastes an HTTP URL. This patch changes the behavior of the `isImageURL` method such that the requirement for the pasted URL's protocol to be `https:` is enforced only when the `window.location.protocol` itself is also `https:`. By doing this, we ensure that secure origins (i.e., when Converse.js is loaded over HTTPS initially) are still secured and cannot have non-HTTPS content introduced to the page via a pasted non-HTTPS URL, however it also allows non-HTTPS origins to render both HTTP and HTTPS image URLs.
76bff83c
To find the state of this project's repository at the time of any of these versions, check out
the tags.