GNOME Bugzilla – Bug 754460
Mixed Content Warnings on extensions.gnome.org
Last modified: 2016-11-26 10:57:36 UTC
When browsing to extensions.gnome.org, I see mixed a mixed content warning in my URL bar. This website is designed to install software at into my OS with a high privilege level, making the security of extensions.gnome.org very, very important. According to Firefox's security log[1], the resource causing this problem is: > Loading mixed (insecure) display content "http://i1.wp.com/extensions.gnome.org/static/images/nobody.png" on a secure page jquery.js:6411:0 It looks like this is already getting redirected to a secure version, which is good because it means the resource is already available over HTTPS, but the redirection is a vector for attack. Can we please get this fixed? In my opinions this is one of those bugs that defeats the whole purpose of the site, since it makes it very hard to trust the software it is providing. [1]: https://developer.mozilla.org/en-US/docs/Security/MixedContent/How_to_fix_website_with_mixed_content
Bizarre. It seems Gravatar has started completely flat out ignoring the secure.gravatar.com thing and redirecting us to its own HTTP website. That's unfortunate. https://secure.gravatar.com/avatar/bad?s=128&d=http://extensions.gnome.org/static/images/nobody.png
This is fixed in theme/gnome-grass/2016 git branch: https://git.gnome.org/browse/extensions-web/log/?h=theme/gnome-grass/2016 and will be deployed soon
*** Bug 759163 has been marked as a duplicate of this bug. ***
Deployed on production server