Code Monkey home page Code Monkey logo

Comments (4)

electerious avatar electerious commented on May 18, 2024

I don't think this is problematic. The favicons are just visual enhancements. Ackee is also just guessing that there's a favicon at /favicon.ico which isn't always the case.

Upgrading them to https: Could work, but when the referrer is http then there's a small chance that the site is available via the https (would be a badly configured server in this case).

from ackee.

BrookeDot avatar BrookeDot commented on May 18, 2024

According to MDN this is type of warning from the browser is known as a passive mixed content warning. The biggest risks appears to be revealing the URL and allowing some tracking of an otherwise private Ackee install to the third-party site:

The attacker could also infer information about the user's activities by watching which images are served to the user; often images are only served on a specific page within a website. If the attacker observes HTTP requests to certain images, they could determine which webpage the user is visiting.

I looked into a few solutions and found a node package favrat as well as some solutions in other languages. It seems in most cases the idea is to cURL the site, see if there's a favicon and you get a 200 response then do something with the icon.

By far the easiest method is to use the Google API but we should keep Google out of Ackee by all means :)
http://s2.googleusercontent.com/s2/favicons?domain_url=http://github.com

Let me know if I can be of any other assistance here.

from ackee.

electerious avatar electerious commented on May 18, 2024

The solutions aren't very satisfying, so I will stay with the current implementation. I don't think that revealing the URL of the Ackee instance is problematic enough.

from ackee.

BrookeDot avatar BrookeDot commented on May 18, 2024

Thanks for the update here.

For those running NGINX, the following header can be added to prevent warnings on major browsers:

add_header Content-Security-Policy "block-all-mixed-content";

You can read more about that setting in the MDN article:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content

Chrome/Chromium version 79+ which was released this week will also auto-update insecure request to secure:
https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html

Overall, I totally understand the desire to have the visual of the icon but its not worth it for me to expose even the install URL.

from ackee.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.