GNOME Bugzilla – Bug 766789
[lastfm] coverart insecure
Last modified: 2017-05-02 09:54:37 UTC
Following the discussion in bug #747953: the lastfm albumart API returns plain http urls for the albumart retrieval, this is the part that makes the plugin leak. However, while testing it turns out the same urls by https also work, only the certificate it uses is not valid. So the holder of the API key should probably try to contact the lastfm folks and try to convince them to go https by default and/or fix the certificate problem. Using the https urls while they're not returned by the API is probably unwanted behaviour.
https://wiki.gnome.org/Initiatives/OnlineServicesAPIKeys -> Felipe
Thanks, I'm on it.
To keep everyone posted on the issue, I opened a topic in their forum at the time at https://getsatisfaction.com/lastfm/topics/use-https-by-default which has been tagged as "IMPLEMENTED". If you test the API endpoint with our API keys, it returns https urls for the images https://ws.audioscrobbler.com/2.0/?method=album.getinfo&api_key={API_KEY}&artist=Cher&album=Believe
Created attachment 350852 [details] [review] lastfm-cover: Use HTTPS rather than insecure HTTP To avoid leaking (potentially uniquely identifiable) user data over plain text (be it search phrases, hashes of contact emails, etc etc), use HTTPS whenever possible.
Review of attachment 350852 [details] [review]: Win! Not sure that "hashes of contact emails" matches what this plugin is used for though, does it?
I updated the commit message. Thanks! Attachment 350852 [details] pushed as 88d674a - lastfm-cover: Use HTTPS rather than insecure HTTP