When I'm on the page https://www.dndbeyond.com/my-content/characters Firefox tells me that my connection is not secure. This happens because while I'm on HTTPS, some components are being fetched using HTTP.
When I'm on that page, this component is the only one retrieved from "media-waterdeep". All the rest come from "static-waterdeep" and are retrieved using HTTPS.
It's not only XSS that is possible, Man-In-The-Middle attacks are possible and possible breach of confidentiality. I'm a security freak and this freaks me out.
When I'm on the page https://www.dndbeyond.com/my-content/characters Firefox tells me that my connection is not secure. This happens because while I'm on HTTPS, some components are being fetched using HTTP.
The component in question is: http://media-waterdeep.cursecdn.com/attachments/0/2/sample-bg.jpg
When I'm on that page, this component is the only one retrieved from "media-waterdeep". All the rest come from "static-waterdeep" and are retrieved using HTTPS.
Please fix.
-
View User Profile
-
View Posts
-
Send Message
D&D Beyond FoundersHi Dagske,
thanks for flagging that. I love that modern browsers can identify possible cross-site scripting issues!
I'm guessing that this image was missed when they were migrated across.
I'll flag it as an issue for the team. :)
Pun-loving nerd | Faith Elisabeth Lilley | She/Her/Hers | Profile art by Becca Golins
If you need help with homebrew, please post on the homebrew forums, where multiple staff and moderators can read your post and help you!
"We got this, no problem! I'll take the twenty on the left - you guys handle the one on the right!"🔊
It's not only XSS that is possible, Man-In-The-Middle attacks are possible and possible breach of confidentiality. I'm a security freak and this freaks me out.
Hey! Thanks for calling that out. It was a matter of the image source being hardcoded in. I'm fixing it as we speak, this should be resolved shortly!
Front End Developer for D&D Beyond by day,
Half Orc BarbarianGnome SorcererDuergar ClericAarakocra Barb/Rogue/Fighter (yeah yeah i know) by night.this has really gotten Adohand.