Kind of the same report: Broken image in Discourse (but they work in the message preview) - #8 by Canapin - wordpress - Discourse Meta
Simply put: when uploading an image on onion, Discourse decides to use the protocol currently in use for loading the image. This results in http:// only plaintext URL to the image, which breaks our CSP.
What’s curious is it works in the Preview of the post (as the user in the link above also noticed)
But ultimately this is Yet Another issue using other people’s software with an .onion proxy in front, devs are not accounting for this setup when making assumptions in their code.
Since this is an internal Discourse thing (beyond my means to hack at) I don’t think we can really fix it unless we:
- Get rid of the Forums onion
- Buy an SSL EV cert for the .onions for $295USD/yr and then enforce https in the Discourse settings (expensive fix)
- Disallow uploading of images somehow (maybe a good idea for other reasons, but also inconvenient) - this would also disable uploading of avatars…