Skip to content

fix: mixed content blocking for S.to cover images on HTTPS#193

Open
HaiNick wants to merge 1 commit into
phoenixthrush:modelsfrom
HaiNick:fix/mixed-content-image-proxy
Open

fix: mixed content blocking for S.to cover images on HTTPS#193
HaiNick wants to merge 1 commit into
phoenixthrush:modelsfrom
HaiNick:fix/mixed-content-image-proxy

Conversation

@HaiNick
Copy link
Copy Markdown

@HaiNick HaiNick commented Apr 25, 2026

Problem

S.to cover images are served from http://186.2.175.5 (plain HTTP). When the web UI is accessed over HTTPS (e.g. via a reverse proxy, Tailscale Serve, or any TLS-terminated setup), the browser blocks these image requests as mixed content. The images just fail silently with no error in the UI.

This affects all browse endpoints (/api/new-series, /api/popular-series, etc.) and the series detail view.

Root cause

The S.to CDN returns absolute HTTP image URLs. The backend passes these directly to the frontend, which then tries to load them as <img src="http://..."> from an HTTPS page, which the browser blocks as a security violation.

Fix

Added a server-side image proxy endpoint (/api/proxy-image) that fetches external cover images on behalf of the browser. All poster_url values are rewritten to route through this endpoint before being sent to the frontend.

  • Browser always requests images from the same HTTPS origin
  • Flask fetches the actual image from the CDN over HTTP server-side, so no mixed content restriction applies
  • Responses are cached client-side for 1 hour via Cache-Control
  • Proxy only accepts http:// and https:// URLs, returns 400 for anything else
  • Downloads are not affected, this only applies to poster images

Screenshots

Before (Tailscale HTTPS, broken):
screenshot-2026-04-25_10-44-22

Before (Tailscale HTTPS, broken - DevTools):
screenshot-2026-04-25_10-44-44

After (Tailscale HTTPS, fixed):
screenshot-2026-04-25_10-43-54

After (Tailscale HTTPS, fixed - DevTools):
screenshot-2026-04-25_10-45-28

Testing

Tested locally over plain HTTP (http://192.168.178.168:8070) and over HTTPS via Tailscale Serve (https://aniworld-test.snowy-burbot.ts.net). Cover images load correctly in both cases. Confirmed 200 OK with browser cache hits on repeat views.

@HaiNick
Proxy poster images through backend to fix mixed content
e890c97 
Reverse-proxy upstream poster URLs through /api/proxy-image so the
browser loads them from the same origin. This unblocks HTTPS
deployments (e.g. behind Tailscale Funnel) where mixed content
silently broke cover images.
@phoenixthrush phoenixthrush added bug Something isn't working enhancement New feature or request labels Apr 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@SiroxCW SiroxCW

Labels

bug Something isn't working enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@HaiNick @phoenixthrush @SiroxCW