Roundcube Community Forum
Release Support => Requests => Topic started by: kevinx on March 22, 2017, 11:08:00 AM
-
Hello,
I have a https:// connection for my webmail. This works fine. But, when a mail contains images (e.g. newsletters from company's or webshops) and those images has to be downloaded from the (non secure) website from those company's or webshops, then my webmail loses it's secure connection. I don't like that.
At this moment is the source of an image in a mail something like this:
<img src="http://image.webshop.com/example/image.jpg">
I do know a little bit of php-scripting and I know that is possible to download an image via the 'file_get_contents'-command and keep the webmail-connection secure. The way to do that is to alter the <img>-line into:
<img src="img.php?i=http://image.webshop.com/example/image.jpg">
And then you have to add the img.php-script-file with the following lines:
<?php
$image=file_get_contents($_GET['i']);
echo $image;
?>
That's all!
I'll hope you can add this suggestion in the next release.
Kind regards,
Kevin
-
This is extremely insecure, anything put into an image file could end up being execution inside Roundcube. For example create an image file with the following code:
<script>alert('Nope.');</script>
When fetched with your script would run the alert inside Roundcube. This easily allows for cross site scripting.
-
Thanks for your reply.
I guess my suggestion is not very good. But, maybe someone knows a much better solution for this (little) problem. :)
Kind regards,
Kevin
-
Your webmail does not really lose its secure connection. It probably has a "mixed content" icon or alert. The connection between your web browser and your webmail server is still secure.