[Ultimate Branding] Bug Report - UB Email Templates module - mixed content from template previews

Email template previews for Hero and Sidebar templates are breaking https...

==== to replicate:

Go to network/admin.php?page=branding&tab=htmlemail and select 'Load Template' for Hero or Sidebar, then click 'preview' and observe your browser bar lock.

Close the email preview and right click on the page at network/admin.php?page=branding&tab=htmlemail to 'inspect element' and then observe:

Loading mixed (insecure) display content “http://lorempixel.com/200/50/” on a secure page[Learn More]
htmlemail.js:86:12
Loading mixed (insecure) display content “http://lorempixel.com/600/300” on a secure page

==== to solve:

Change hardcoded http:// values for placeholder images to use https:// instead.

For the Sidebar template, the URL just need https; like:
http://lorempixel.com/200/50/
can simply be changed to
https://lorempixel.com/200/50/

However, for the Hero template, the URL also needs a trailing slash added (or else https will not resolve); like:
http://lorempixel.com/600/300
must have two changes, to
https://lorempixel.com/600/300/

====

imo, these should just be made https --> relative links are not best practice

quotable ref:

Now that SSL is encouraged for everyone and doesn’t have performance concerns, this technique is now an anti-pattern. If the asset you need is available on SSL, then always use the https:// asset.

Allowing the snippet to request over HTTP opens the door for attacks like the recent Github Man-on-the-side attack. It’s always safe to request HTTPS assets even if your site is on HTTP, however the reverse is not true.

More guidance and details in Eric Mills’ guide to CDNs & HTTPS and digitalgov.gov’s writeup on secure analytics hosting.

from: https://www.paulirish.com/2010/the-protocol-relative-url/

====

Hope that helps :slight_smile:

Cheers, Max

  • Adam Czajczyk

    Hi wp.network

    I hope you're having a nice day!

    I checked these templates and you're right, they're using some "placeholder images" referenced via "http://" URLs. I wouldn't consider it a bug as those templates are fully editable and in most cases that I've seen Members are actually editing them anyway to provide better "branding" for their sites.

    However, I see the point and agree that it would be better to either reference them by "protocolles" URLs (which, in this case, shouldn't be much of an issue - I'm referring here to an article that you shared) or just "fixed" "https://".

    I've forwarded it to our developers.

    Best regards and thank you for pointing that out :slight_smile:

    Best regards,
    Adam

  • wp.network

    Hi again Adam Czajczyk

    I wouldn't consider it a bug as those templates are fully editable and in most cases that I've seen Members are actually editing them anyway to provide better "branding" for their sites.

    This issue is only about how https is broken in wp-admin when previewing these two templates.

    I would call it a bug bcs these resource locations are coded into the plugin provided for download, and the subsequent mixed content issue occurs in the course of the standard/recommended usage of the plugin, namely, previewing the templates.

    However, I see the point and agree that it would be better to either reference them by "protocolles" URLs (which, in this case, shouldn't be much of an issue - I'm referring here to an article that you shared)

    The article is saying that relative ('protocolles') URLs are NOT good practice (see update at top of article).

    "Now that SSL is encouraged for everyone and doesn’t have performance concerns, this technique [of using relative URLs] is now an anti-pattern. If the asset you need is available on SSL, then always use the https:// asset."

    "Allowing the snippet to request over HTTP opens the door for attacks like the recent Github Man-on-the-side attack. It’s always safe to request HTTPS assets even if your site is on HTTP, however the reverse is not true."

    Since the resources are available via https, the ONLY good fix is to use https.

    Cheers, Max

    ( and btw, Paul Irish isn't just some random coder with a blog and an opinion, he also has credentials: https://www.paulirish.com/about/ )

  • wp.network

    Adam Czajczyk I didn't think you were arguing at all... and my apologies to you if I seemed argumentative... I was just trying to clearly communicate about the scope of the reported issue, and my perspective on solving it - especially if the devs refer to the thread.

    I also didn't refer in any way to the article author's credentials.

    yeah, I know... actually, that bit was meant to be humorous... as in, they have three things:
    - a blog
    - an opinion
    - and credentials

    Kind Regards, Max

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.