Uploaded Images doesnt show up after creating topic

please check out the screenshot (if u can see it)

1 Like

Have noticed this too.

The reason the image doesn’t load is that Discourse has used https://forums.whonix.org (plaintext) so the browser won’t load it as it violates our Content-Security-Policy.

Probably in the past, images loaded but caused partial (mixed mode) security issues.

I’m not sure if we can fix, the problem is that I think ‘forced https’ is turned off in Discourse because it otherwise breaks the http:// on the .onion.

Looking into it. Thanks for reporting

2 Likes

Kind of the same report: Broken image in Discourse (but they work in the message preview) - #8 by Canapin - wordpress - Discourse Meta

Simply put: when uploading an image on onion, Discourse decides to use the protocol currently in use for loading the image. This results in http:// only plaintext URL to the image, which breaks our CSP.

What’s curious is it works in the Preview of the post (as the user in the link above also noticed)

But ultimately this is Yet Another issue using other people’s software with an .onion proxy in front, devs are not accounting for this setup when making assumptions in their code.

Since this is an internal Discourse thing (beyond my means to hack at) I don’t think we can really fix it unless we:

  1. Get rid of the Forums onion
  2. Buy an SSL EV cert for the .onions for $295USD/yr and then enforce https in the Discourse settings (expensive fix)
  3. Disallow uploading of images somehow (maybe a good idea for other reasons, but also inconvenient) - this would also disable uploading of avatars…

@Patrick

1 Like

not good idea

no way

if u can make that only on .onion users then thats i think fine, but if it will effect on clearnet forum as well for uploading images well thats really not helpful as well.

the good side of the story only when u use .onion forum u can see the images , but if u r using the clearnet link then u can see the uploaded images which is good.

Fixed it with a different technique. Those images load now on .onion (the page markup is forced from forums.whonix.org to the onion URL, in the Nginx response).

3 Likes

Still having this issue?

Yes just tested now.

1 Like

Was happening on onion only (worth mentioning for debugging). Now fixed. Example here:

1 Like

can you check it again , i just tested that and got same thing.

1 Like

Confirmed. Happens sometimes. Fixed itself after reload. Cause: The content security policy (CSP) of the onion instructions browser to not fetch from Whonix clearnet domain. This can be seen in Tor Browser hamburger menu -> Web Developer -> Web Console. Hard to fix as per: