-2

I've built myself a small image hosting service for my own projects and I recently switched the site to https which works perfectly.

Now I made a .htaccess file with a rewrite rule as described here so if I browse to http://myservice/image.jpg it automatically redirects me to https://myservice/image.jpg

My question is now how do browsers react, if I embed the http link of an image. Will the rewrite rule still be in effect and the image will be transferred via https or will it use unencrypted http?

I've tested it with Chrome and the image was displayed but I'm not sure if it was transferred via https or http. Are there any case studies which can shine a light on my question?

Christian
  • 333
  • 7
  • 17

2 Answers2

2

Browsers will send a separate request for the embedded image, so yes, that will then get redirected to https. Even so, some browsers may also warn their users because of the http link that "some resources on this page are not secure."

To avoid both of those problems, you should rewrite the links in your page or application to omit the leading scheme and hostname: e.g.

<a href="/img.png">

instead of

<a href="http://example.com/img.png">

Then the browser will automatically fetch the image from the same scheme (i.e. https) and hostname as the page, so you avoid the redirect to https and/or warning to users.

Additionally, if you really do need to specify the domain, you can still omit the protocol specification:

<a href="//example.com/img.png">

The protocol used to load the page containing the link will be prepended. So if the above link is on a page https://example.com/index.php then the link will point to https://example.com/img.png

fukawi2
  • 5,327
  • 3
  • 30
  • 51
Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
  • Thanks! But since it's an image hosting service I usually use these images in my blog. Since my blog is also https I use the protocol independent linking schema: I was afraid, that some browsers might block the image since the hosting server doesn't respond with the same file the client requested. Do you think that's a problem? – Christian Jan 05 '15 at 19:57
  • 1
    I'm not sure why you say "the hosting server doesn't respond with the same file the client requested", but anyway I guess the only way to find out is to test it. – Andrew Schulman Jan 05 '15 at 20:00
  • Because the Image requested (http://...) is not the same as delivered (https://...) but after tail -f the http log of the ssl and non-ssl htaccess it seems that the rewrite rule doesn't work and the image is transferred via http – Christian Jan 05 '15 at 20:07
  • @Christian The browser receives a redirect in response to the http:// request, then requests the https:// resource instead. So the browser does receive what it requests, but it has to make 2 requests to get the image (the first request resulting in a redirect response from the server) – fukawi2 Jan 05 '15 at 23:00
0

I analyzed the log files of the http and https site and it seems the browser requests the http file, gets redirected and the https file is transmitted. In the logs I see the file request in both files but I assume that only the https file is transmitted

Christian
  • 333
  • 7
  • 17