Not Able to add pictures on new Forum

[Absconditus.6804]

I think you guys should be looking for a new Security person. I can understand not wanting to host the images yourself, but to not allow embedding external images as a security measure? Undesirable content will be reported by players. As long as you got moderation, that content can be removed swiftly. Linking images like this is just not the same.

[Healix.5819]

@Inculpatus cedo.9234 said:Do the imbedded videos give away IP addresses? Is that a big concern? I've no idea.

Whenever you access something on the internet, you're telling the host your location, otherwise you wouldn't be able to download anything. Embedded videos and anything else that links offsite will give away your IP. The problem is in allowing any random site, whereas legit ones like imgur or youtube wouldn't be a problem and of course safer than random links.

Is it a big concern? That's up to you. By knowing your IP, I know roughly where you live. The problem in allowing embedding is that you'll automatically access the URL, whereas you have to intentionally click a link, so getting your IP is as simple as getting you to read this, if they allowed it.

[Inculpatus cedo.9234]

@Healix.5819 said:

@Inculpatus cedo.9234 said:Do the imbedded videos give away IP addresses? Is that a big concern? I've no idea.

Whenever you access something on the internet, you're telling the host your location, otherwise you wouldn't be able to download anything. Embedded videos and anything else that links offsite will give away your IP. The problem is in allowing any random site, whereas legit ones like imgur or youtube wouldn't be a problem and of course safer than random links.

Is it a big concern? That's up to you. By knowing your IP, I know roughly where you live. The problem in allowing embedding is that you'll automatically access the URL, whereas you have to intentionally click a link, so getting your IP is as simple as getting you to read this, if they allowed it.

So, I guess the allowed video is because it's from ArenaNet's Twitch channel or something?

I don't really care if people 'know roughly where I live'. Lol, there's millions of people 'roughly where I live'. From other posts, it sounds like it more a matter of space than security, really. If it was truly security, they could have made a no-posting-pix rule on the other forums...but they didn't.

[Ara.4569]

Anyone made a browser extension or an user script (tampermonkey-like) to work around some of those limitations ?I think that would do wonders as these could potentially:

• expose the URL instead of covering it under some potentially deceiving text.
• allow direct links.
• display a thumbnail or preview.
• restrict these actions to a white-list.And more...

[Tiscan.8345]

@"Gaile Gray.6029" said:I am sorry for the inconvenience. When we were investigating options for our new forums, one of the parameters set by our Security person was that we disallow all images on the forums. This is not a decision I wanted, as it seriously impacts a number of discussion types, including fan art, guild recruitment, events, and much more. But I'm afraid that as a security measure, we cannot accept images on the forums, and must ask for hosting and for a user going through the steps required to view an image on an external site.

Again, I am very sorry for this inconvenience and wish there was another way to make this more fluid and easy for everyone.

Right now, people can embed YouTube/Vimeo-Videos, Songs from Soundcloud, Twitter-Postings and a lot of other stuff by posting links. For example:

https://soundcloud.com/wiljanmusic/in-town

And the same works for GIF-Videos stored on imgur. So why not write a simple plugin that allow people to embed images from imgur? Judging from the code, it shouldn't be that hard to write a simple plugin. I guess most of the code could be copied from Vanilla Forum's own class.format.php.

[Girbilcannon.8259]

Some of you keep talking about hosting images directly on the site and it's not their responsibility, blah blah blah. But look at gw2style.com for example. All images on that website are hosted from imgur links and they dont have to host a single image. Guess what, no security problems on there. That being said, you CAN upload images to an external source and be able to view them on the forums. Anet, please look into that website as an example of what to do about the image situation.

https://gw2style.com/

[Donari.5237]

I'm not sure if this dedicated thread or the overall feedback thread is best, so I'll start here and see where to go from there.

I understand that ANet no longer is willing to host images, probably for very good reasons having to do with security. However, does embedding images carry the same risk? People have said ANet is using the same base forum software as ESO now, and in the ESO forums you certainly can directly display images so long as you have them hosted somewhere else. Ditto on the Enjin forums, which use the same little "painting" icon to get the popup asking for a URL as we see right here in these new forums. (No, I do not think a shared graphic = shared software). All that seems to do is display the linked image within the posted message without requiring the viewer to navigate away from the forum.

I don't know that this would make me willing to return to posting images in the forums, since I do not want someone viewing a singular image to see the host site's framework or be able to navigate to the rest of my albums and it may be possible for them to do so by doing an "open original." But it would bring graphic life back to the game forums as people could view images directly and others less finicky than me about showing more than I want to could enjoy sharing their pictures once more.

Downside: The ESO posted images can be fairly large and since they don't start as thumbnails until actively clicked as we saw on ANet's previous forums, they could slow loading for people on mobile or low end machines.

[TheQuickFox.3826]

Why can't we just upload our images to the forum as attachment? In the previous forum this worked fine and allowing anyone to post images without having to rely on 3rd party hosting. And they got nicely thumbnailed as well.

[Donari.5237]

@TheQuickFox.3826 said:Why can't we just upload our images to the forum as attachment? In the previous forum this worked fine and allowing anyone to post images without having to rely on 3rd party hosting. And they got nicely thumbnailed as well.

ANet has said that this function is a security risk and they will no longer host images. So that's why.

[Eley.1907]

Embedding image from other site is more risky than to host images ourselves. For example, other site can show login and password popup, and users will enter GW2 forum password. Or, other site can add malicious code to image if some browser vulnerability will appear. If Anet host images ourselves, they have complete control and no such problems.

[Tiscan.8345]

@Eley.1907 said:Embedding image from other site is more risky than to host images ourselves. For example, other site can show login and password popup, and users will enter GW2 forum password. Or, other site can add malicious code to image if some browser vulnerability will appear. If Anet host images ourselves, they have complete control and no such problems.

Depends on how you do it. The current "solution" is probably the worst solution possible as people have to actually visit external sites. Those sites can run JavaScript, Java-Applets or whatever they wanna do. Its basically the total opposite of "enhanced security".

The best solution (given the fact that ANet doesn't want to host the images on their servers anymore) would be to allow embedding of pictures from a "well-known" site like imgur. I wrote a [very simple "proof of concept" plugin](https://en-forum.guildwars2.com/discussion/1350/poc-linking-imgur-images-in-postings-vanilla-forums-plugin "very simple "proof of concept" plugin") for the forum-software ANet uses. If you post a link to imgur, it gets replaced with the HTML-code to display that image.

That way, ANet hasn't got to worry about storing the images and its as secure as embedding YouTube-videos or Soundcloud-Songs.

Of course its possible to just setup an Instagram-Account and link to it:

https://www.instagram.com/p/BZHInhvFIPj/?taken-by=arenanet

But Instagram is kinda annoying :grin:

[Darlgon.9273]

@Gaile Gray.6029 said:I am sorry for the inconvenience. When we were investigating options for our new forums, one of the parameters set by our Security person was that we disallow all images on the forums. This is not a decision I wanted, as it seriously impacts a number of discussion types, including fan art, guild recruitment, events, and much more. But I'm afraid that as a security measure, we cannot accept images on the forums, and must ask for hosting and for a user going through the steps required to view an image on an external site.

Again, I am very sorry for this inconvenience and wish there was another way to make this more fluid and easy for everyone.

I THINK your Security guy has confused the risk of HOSTING the images from unknown users with the risk of them being linked and passing thru your system by registered users of your forums. As a many year network admin security specialist for both banks and the USPS, I wonder if he is does not need to do some more research.

[Myrdreth.6829]

@Healix.5819 said:Allowing embedded offsite images is a problem because it gives away your IP address to whoever wants it. They could allow embedded imgur links however, or other big names, which is certainly the better option over clicking random links to imgur.com.

That's scary!

@shadow.6174 said:

@Girbilcannon.8259 said:

@MidnightX.6294 said:Even if it is about security of the forum - we players are not secured by this. We have to click links, which is not saver, its more risky to us.

THIS!

Very much this! ^^^

YES! What about our security?!

[Illconceived Was Na.9781]

My take away is that ANet considers images to be inherently insecure. If I trust ANet's word on that, then i see no reason why I should trust images from some 3rd party site either. At least without a clear explanation from ANet's security team as to what the real issues are.

As a result, I won't be uploading images of my own nor clicking on links of other players.

[Blude.6812]

I would be curious just how many security issues (i.e. Anet servers, forums, user accounts etc) were compromised by images on the old forums? I would be very interested if Anet would share that info to justify the security persons' statement. I have a feeling it is more a space/cost /resource issue than an security issue (imho).

[shadow.6174]

@Blude.6812 said:I have a feeling it is more a space/cost /resource issue than an security issue (imho).

Bingo!

[Chris Cleary.8017]

This has everything to do with the forum software suite that was chosen to be used for the new forums. Without getting too deep into why, there are issues with how the forum handles non-standard inputs and how it surfaces those to clients without their control. There are native and legacy embeds that are allowed currently, but since the issues that were present at the time of launching this forum still existed, image upload and image embeds are disabled until further notice.

[Illconceived Was Na.9781]

@Chris Cleary.8017 said:This has everything to do with the forum software suite that was chosen to be used for the new forums. Without getting too deep into why, there are issues with how the forum handles non-standard inputs and how it surfaces those to clients without their control. There are native and legacy embeds that are allowed currently, but since the issues that were present at the time of launching this forum still existed, image upload and image embeds are disabled until further notice.

Thanks for posting more about this (even though it's a little vague). I find it a little disconcerting that the best option you guys had for forum software has such a flaw.

(I'm still not inclined to follow links or upload images, at least not until I understand what the risks are and how to avoid them at a third party site that might not be as security conscious as I'd like.)

[Inculpatus cedo.9234]

How odd that your post, Chris, is not showing up on any of the Dev Tracker features. Another bug, I guess.

[Flatley.1620]

OK, ignorant question inc.

If I upload an image from my phone to, say, a cloud space, could my personal IP still be ascertained?

Thanks.

[mrstealth.6701]

@Flatley.1620 said:OK, ignorant question inc.

If I upload an image from my phone to, say, a cloud space, could my personal IP still be ascertained?

Thanks.

Your IP would be visible to the cloud/hosting service you uploaded the image to, but anyone viewing it from there (forum readers) would be connecting to that host and not you.

Overall, the IP fearmongering here is more than a bit over the top. It seems to based more around uploading an image to a host you control, and then being able to see the IP address of every other forum reader that loads that image from your server. Sure, that is making your IP visible to that image host, but every thing you connect to on the internet sees your IP (unless you're using a VPN or proxy). It's not giving that image host any means of actually identifying your username (or anything else personally identifiable), as they would only have a big list of IP addresses that had access the image. They would not have a way to determine which IP address is yours out of the hundreds or thousands of other users that viewed the forum post.

Every time you visit a page on the internet you are giving that site, its advertisers, analytics services, external image hosts, etc your IP address. It's kind of like an internet PO box address with no name attached. Unless you are actually logged into the site/host, or the one you log into is actively sharing that identity (who's IP is who's) to others, you are just an IP address to them. It's basically the same level of identification that an advertiser's tracking cookie has. Generally, the only people that can actually get something trackable out of it are those marketing and analytics companies working with the sites you visit, because they track it across many sites and that information is shared between them and the sites they work with.

[Zoltreez.6435]

seriously can we just go back to the original 100000x better forum ?

it was literaly better in EVERYTHING that this new load of cra...........

[Gaile Gray.6029]

@"Tiscan.8345" -- can that "proof of concept" also extend to other sites, such as Tumblr? We get so much fan art on Tumblr, and I'd love to be able to make the case for the uploading of images from Tumblr, rather than a link.

Thanks.

[Pepper.3901]

@Girbilcannon.8259 said:Anet, please fix this. When we want to see images in image based threads, we have to take so many steps to view it. with no clickable thumbnails we have to:

1. right click the image link
2. open link in new tab or page (so we dont lose our spot in the forums)
3. wait for the website to tell us about an external link warning
4. click the link on that page and then we FINALLY get to see the image

It should be as simple as seeing a thumbnail, clicking it, and having pop up in a window over the forums.

Dear Anet,

My computer is far more secure as a responsible gamer than ~~some ~~ most imaging websites.

-Your Gamer Base

[Deihnyx.6318]

@Healix.5819 said:Allowing embedded offsite images is a problem because it gives away your IP address to whoever wants it. They could allow embedded imgur links however, or other big names, which is certainly the better option over clicking random links to imgur.com.

Visiting any link that has some back end processing will reveal your IP to the server, I'm not sure what it has to do with pictures?Players won't see each other IPs, only the server will see them if they want to.