Image Max URL

Finds larger or original versions of images and videos for 7100+ websites, including a powerful media popup feature

< Feedback on Image Max URL

Question/comment

§
Posted:
Edited:

Serious privacy concern!

Hi do you want to perhaps explain why this script has been actively pumping ALL my HTTP traffic for ALL SITES through i0.wp.com right here in line 52:

return url.replace(/^http:\/\//, "https://i0.wp.com/");

I'm VERY upset as there was NO DISCLOSURE this script would be actively redirecting all traffic ANYWHERE but it's original intended destination!

This needs to be reviewed for removal unless it can be explained and accepted by users.

qsniygAuthor
§
Posted:
You're completely right, I wasn't even thinking about that, but yes, I should have definitely disclosed that.

The reason for that line is an XMLHttpRequest on an HTTPS site to an HTTP site automatically fails, so there needed to be some kind of proxy for it to work (the XMLHttpRequest is used for checking if the image exists, so that it doesn't redirect to a broken image)

I've just updated the script, it now uses GM_xmlhttpRequest instead, which doesn't need this hack (as well as fix a few other problems), and additionally, will notify users about any cross-domain requests (unless they click "Allow all domains"). So now, the traffic flow is simply:
Original Image -> Image Max URL -> HEAD request to final image -> Redirect to final image
Let me know if there are any more problems, and I'm sorry for not having disclosed that earlier.
qsniygAuthor
§
Posted:
I should add, i0.wp.com is the proxy site wordpress.com uses, either for resizing images (with a parameter at the end), or, presumably, for forcing HTTPS as well (non-HTTPS resources, such as images, don't load on an HTTPS website).
§
Posted:
This seems settled, so clearing the report flag.

Post reply

Sign in to post a reply.