please check out the screenshot (if u can see it)
Have noticed this too.
The reason the image doesn’t load is that Discourse has used https://forums.whonix.org (plaintext) so the browser won’t load it as it violates our Content-Security-Policy.
Probably in the past, images loaded but caused partial (mixed mode) security issues.
I’m not sure if we can fix, the problem is that I think ‘forced https’ is turned off in Discourse because it otherwise breaks the http:// on the .onion.
Looking into it. Thanks for reporting
Kind of the same report: https://meta.discourse.org/t/broken-image-in-discourse-but-they-work-in-the-message-preview/90429/8
Simply put: when uploading an image on onion, Discourse decides to use the protocol currently in use for loading the image. This results in http:// only plaintext URL to the image, which breaks our CSP.
What’s curious is it works in the Preview of the post (as the user in the link above also noticed)
But ultimately this is Yet Another issue using other people’s software with an .onion proxy in front, devs are not accounting for this setup when making assumptions in their code.
Since this is an internal Discourse thing (beyond my means to hack at) I don’t think we can really fix it unless we:
- Get rid of the Forums onion
- Buy an SSL EV cert for the .onions for $295USD/yr and then enforce https in the Discourse settings (expensive fix)
- Disallow uploading of images somehow (maybe a good idea for other reasons, but also inconvenient) - this would also disable uploading of avatars…
not good idea
if u can make that only on .onion users then thats i think fine, but if it will effect on clearnet forum as well for uploading images well thats really not helpful as well.
the good side of the story only when u use .onion forum u can see the images , but if u r using the clearnet link then u can see the uploaded images which is good.
Fixed it with a different technique. Those images load now on .onion (the page markup is forced from forums.whonix.org to the onion URL, in the Nginx response).
Still having this issue?
Yes just tested now.
Was happening on onion only (worth mentioning for debugging). Now fixed. Example here:
can you check it again , i just tested that and got same thing.
Confirmed. Happens sometimes. Fixed itself after reload. Cause: The content security policy (CSP) of the onion instructions browser to not fetch from Whonix clearnet domain. This can be seen in
Tor Browser hamburger menu -> Web Developer -> Web Console. Hard to fix as per: