Này người xa lạ!

Còn chờ gì nữa mà không mau đăng nhập hoặc đăng ký để cùng tham gia thảo luận với cộng đồng!

Serious privacy concern!

About: Image Max URL

Hi do you want to perhaps explain why this script has been actively pumping ALL my HTTP traffic for ALL SITES through i0.wp.com right here in line 52:

return url.replace(/^http:\/\//, "https://i0.wp.com/");

I'm VERY upset as there was NO DISCLOSURE this script would be actively redirecting all traffic ANYWHERE but it's original intended destination!

This needs to be reviewed for removal unless it can be explained and accepted by users.

Bình luận

  • You're completely right, I wasn't even thinking about that, but yes, I should have definitely disclosed that.

    The reason for that line is an XMLHttpRequest on an HTTPS site to an HTTP site automatically fails, so there needed to be some kind of proxy for it to work (the XMLHttpRequest is used for checking if the image exists, so that it doesn't redirect to a broken image)

    I've just updated the script, it now uses GM_xmlhttpRequest instead, which doesn't need this hack (as well as fix a few other problems), and additionally, will notify users about any cross-domain requests (unless they click "Allow all domains"). So now, the traffic flow is simply:
    Original Image -> Image Max URL -> HEAD request to final image -> Redirect to final image
    Let me know if there are any more problems, and I'm sorry for not having disclosed that earlier.
  • I should add, i0.wp.com is the proxy site wordpress.com uses, either for resizing images (with a parameter at the end), or, presumably, for forcing HTTPS as well (non-HTTPS resources, such as images, don't load on an HTTPS website).
  • This seems settled, so clearing the report flag.
Đăng nhập hoặc Đăng ký để gửi bình luận.