Fix: upgrade hotlinked http URLs on HTTPS

author: yo momma <shutup@oops.wtf> 2026-01-30 08:46:18 +0000
committer: yo momma <shutup@oops.wtf> 2026-01-30 08:46:18 +0000
commit: 5aea6f7791d9a5238581b04d2198205c90495baf (patch)
tree: 35e550bd2d58b756ad018708955123f616212b47 /static/js/src/util.js
parent: 2e71933790cb3223f7690335eeb66c0c187dbec0 (diff)
1 files changed, 11 insertions, 4 deletions
diff --git a/static/js/src/util.js b/static/js/src/util.js
index 2a3dc52..69740ff 100755
--- a/static/js/src/util.js
+++ b/static/js/src/util.js
@@ -18,11 +18,18 @@ String.prototype.trim = function(){ return this.replace(/^\s+|\s+$/g,'') }
 
 function normalizeUrl(url) {
     if (!url) { return url; }
-    var lowerurl = url.toLowerCase();
-    if (lowerurl.indexOf('http://') == 0 || lowerurl.indexOf('https://') == 0 || lowerurl.indexOf('ftp://') == 0 || lowerurl.indexOf('//') == 0)
-        return url;
+    var trimmed = url.trim();
+    var lowerurl = trimmed.toLowerCase();
+    if (lowerurl.indexOf('//') == 0 || lowerurl.indexOf('https://') == 0 || lowerurl.indexOf('ftp://') == 0)
+        return trimmed;
+    if (lowerurl.indexOf('http://') == 0) {
+        // On HTTPS pages, modern browsers will auto-upgrade or block insecure image loads.
+        // Prefer upgrading ourselves so hotlinked images render when the host supports HTTPS.
+        if (location && location.protocol == 'https:') return 'https://' + trimmed.substr('http://'.length);
+        return trimmed;
+    }
     var scheme = (location && location.protocol == 'https:') ? 'https://' : 'http://';
-    return scheme + url;
+    return scheme + trimmed;
 }
 
 function isCSSPropertySupported(prop){ return prop in document.body.style }
author	yo momma <shutup@oops.wtf>	2026-01-30 08:46:18 +0000
committer	yo momma <shutup@oops.wtf>	2026-01-30 08:46:18 +0000
commit	5aea6f7791d9a5238581b04d2198205c90495baf (patch)
tree	35e550bd2d58b756ad018708955123f616212b47 /static/js/src/util.js
parent	2e71933790cb3223f7690335eeb66c0c187dbec0 (diff)