Comments (4)
I don't think this is problematic. The favicons are just visual enhancements. Ackee is also just guessing that there's a favicon at /favicon.ico
which isn't always the case.
Upgrading them to https: Could work, but when the referrer is http then there's a small chance that the site is available via the https (would be a badly configured server in this case).
from ackee.
According to MDN this is type of warning from the browser is known as a passive mixed content warning. The biggest risks appears to be revealing the URL and allowing some tracking of an otherwise private Ackee install to the third-party site:
The attacker could also infer information about the user's activities by watching which images are served to the user; often images are only served on a specific page within a website. If the attacker observes HTTP requests to certain images, they could determine which webpage the user is visiting.
I looked into a few solutions and found a node package favrat as well as some solutions in other languages. It seems in most cases the idea is to cURL the site, see if there's a favicon and you get a 200 response then do something with the icon.
By far the easiest method is to use the Google API but we should keep Google out of Ackee by all means :)
http://s2.googleusercontent.com/s2/favicons?domain_url=http://github.com
Let me know if I can be of any other assistance here.
from ackee.
The solutions aren't very satisfying, so I will stay with the current implementation. I don't think that revealing the URL of the Ackee instance is problematic enough.
from ackee.
Thanks for the update here.
For those running NGINX, the following header can be added to prevent warnings on major browsers:
add_header Content-Security-Policy "block-all-mixed-content";
You can read more about that setting in the MDN article:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content
Chrome/Chromium version 79+ which was released this week will also auto-update insecure request to secure:
https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
Overall, I totally understand the desire to have the visual of the icon but its not worth it for me to expose even the install URL.
from ackee.
Related Issues (20)
- CORS headers are not attached for serverless function on Vercel HOT 10
- Build Failing HOT 2
- Unable to login to Ackee | Vercel Deployment HOT 4
- Cant login to dashboard HOT 7
- Error login HOT 1
- Unrecognized time zone identifier: "Europe/Kyiv" HOT 6
- Unexpected token 'A', "An error o"... is not valid JSON HOT 1
- Hosting my website on netlify makes requests from preview builds logged HOT 6
- Cloudflare tunnels HOT 1
- A Public Analytics Page for Increased Transparency and User Engagement
- Support passwordless public dashboard HOT 2
- Trouble Signing In to app. Received status code 502 HOT 2
- Unable to connect to MongoDB with TLS
- Is it possible to integrate the Ackee with NextJS as inbuilt analytics. HOT 1
- unrecognized time zone identifier: "Europe/Kyiv" HOT 1
- Premission to publish "Ackee" app in Umbrel App store
- Any way to get complete history for pages visits? HOT 3
- Add documentation for configuring Caddy as a reverse proxy HOT 1
- Add Elestio as a deployment option for Ackee
- Unbounded cache enabled in production
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ackee.