Cloudflare Community not forcing HTTPS?


#1

Just realized my Chrome is showing Cloudflare Community is not forcing HTTPS on all its pages. Some threads I visit turn from :lock: to :information_source: on the address bar. Please see if the same happens to you when you visit the following thead:


#2

There is an occasional mixed content issue :smile: but generally the pages all load from HTTPS, as far as I can tell it even seems to be enforced via HSTS.

On that particular page it appears to be the Screencast favicon which is loaded via HTTP.


#3

Isn’t that weird? I don’t think it’s only the favicon. When you click on that screenshot link, it does open the page in HTTP, though it does work on HTTPS.


#4

Well, the link is not the reason for mixed content, the favicon is as it is embedded. The problem might be that Discourse is not locally storing the favicon but linking to it and that link is on HTTP. There is not much that can be done here, except for locally storing it of course :slight_smile:


#5

Or doing a CSP of upgrade-insecure-requests on all pages.


#6

I dont think this would apply to external/CORS requests.


#7

It does as far as I know, all requests generated by the page have the CSP applied. Even plugins in the browser that modify the page will be affected. Only external links, that are <a> tags. Basically everything that is loaded will have the CSP applied.


#8

Are you absolutely sure? To same-origin resources, yes, sure definitely. But as far as cross-origin resources are concerned it should not be able to tell whether that resource is reachable via TLS in the first place and such an upgrade might break the link altogether.


#9

It actually doesn’t care about the possibility of breaking the resource, that’s the whole point. It’s not the same as the Automatic HTTPS Rewrites Cloudflare or the IFF plugin di, those are based on knowing if the resource works or not. This will break all resource that do not match that keeping the site secure.

There is also the block-insecure-requests, that blocks all http requests.


#10

True it does seem to apply to cross-origin requests as well.

From your link

non-navigational insecure resource requests are automatically upgraded (first-party as well as third-party requests).

Good call, I wasnt aware of the implications towards external resources.


#11

CSP is a beautiful thing if used correctly. Sometimes a pain, but worth it.


#12

Some CSP is better than none. Especially when it comes to fixing mixed content. Every site of mine has some form of CSP.