NixOS Discourse Misconfigured to embed external `<img src="">`

I’ve just noticed that Discourse appears to be misconfigured in a way that allows anyone to insert tracking pixels into postings, or also load very big images.

For example this embedded gif with ![](http://external) is getting served from an external server. Cute gif

This allows anyone who embeds images to track IP addresses and user agents of visitors. Technically that could also be a GDPR concern.

If you right click and “copy image URL” you can verify the behavior. On other instances like the one hosted by discourse itself, images embedded the same way would be served from their CDN.

Same goes about link previews. (just right click and check image URL for any image, like the open graph image beneath).

After researching I believe the issue might be resolved by setting up download_remote_images_to_local to true, though might need some more investigation (like using CDN or S3, which server would download the image, image size limits, …).
I think there are separate configs that should be checked for onebox (like allowed iFrames).

Update: @hexa forwarded it to “the admin team”

5 Likes

this was forwarded to the discourse admins. On matrix in #security:nixos.org

1 Like

Yeah, we got it. I opened an internal ticket to follow up which links back here. We’ll have to read up on this. Flipping that switch (and maybe a few others) sounds simple enough, but we’ll need to verify whether this would cause old posts to also be updated.

2 Likes

I know this popped up right before Christmas, but it would be great if someone has time to look into that.

2 Likes

Thanks for being persistent about it. The admin team has finished the change today and all images are now served from our own deployment.

2 Likes

Thank you and everyone involved.