Email template previews for Hero and Sidebar templates are breaking https…
==== to replicate:
Go to network/admin.php?page=branding&tab=htmlemail and select 'Load Template' for Hero or Sidebar, then click 'preview' and observe your browser bar lock.
Close the email preview and right click on the page at network/admin.php?page=branding&tab=htmlemail to 'inspect element' and then observe:
Loading mixed (insecure) display content “http://lorempixel.com/200/50/” on a secure page[Learn More]
Loading mixed (insecure) display content “http://lorempixel.com/600/300” on a secure page
==== to solve:
Change hardcoded http:// values for placeholder images to use https:// instead.
For the Sidebar template, the URL just need https; like:
can simply be changed to
However, for the Hero template, the URL also needs a trailing slash added (or else https will not resolve); like:
must have two changes, to
imo, these should just be made https –> relative links are not best practice
Now that SSL is encouraged for everyone and doesn’t have performance concerns, this technique is now an anti-pattern. If the asset you need is available on SSL, then always use the https:// asset.
Allowing the snippet to request over HTTP opens the door for attacks like the recent Github Man-on-the-side attack. It’s always safe to request HTTPS assets even if your site is on HTTP, however the reverse is not true.
More guidance and details in Eric Mills’ guide to CDNs & HTTPS and digitalgov.gov’s writeup on secure analytics hosting.
Hope that helps :slight_smile: