Added option enforcing HTTPS-only inline imagery

extensions/images.php

@@ -95,15 +95,19 @@ public function enhanceTweet($tweet){
 		}
 
 		public function displayTweet($d, $tweet){
+			global $config;
+			$https_strict = $config['https_strict'];
 			@$tweetextra = unserialize($tweet['extra']);
 			if(is_array($tweetextra) && array_key_exists("imgs", $tweetextra)){
 				preg_match("/^([\t]+)</", $d, $m); $x = $m[1];
 				$ds    = explode("\n", $d, 2);
 				$imgd  = ""; $i = 1; $is = array();
 				foreach($tweetextra['imgs'] as $link => $img){
-					$imgd .= 
-						$x . "\t<a class=\"pic pic-" . s($i) . "\" href=\"" . s($link) . "\">" .
-						"<img src=\"" . s($img) . "\" alt=\"\" /></a>\n";
+					if(!$https_strict || substr(s($img), 0, 2) == "//" || substr(s($img), 0, 8) == "https://") {
+						$imgd .=
+							$x . "\t<a class=\"pic pic-" . s($i) . "\" href=\"" . s($link) . "\">" .
+							"<img src=\"" . s($img) . "\" alt=\"\" /></a>\n";
+					}
 					$is[$link] = $i++;
 				}
 				foreach($is as $link => $i){

inc/config.php

@@ -32,6 +32,7 @@
 
 		'follow_me_button'   => true, // Display 'follow me' button?
 		'smartypants'        => true, // Use SmartyPants to perfect punctuation inside tweets?
+		'https_strict'       => false, // Disable inline images for HTTP-only image hosters?
 		
 		'css' => 'styles/streamlined/styles.css.php', // What CSS file should we use?
 		

setup.php

@@ -252,6 +252,7 @@ function configSetting($cf, $setting, $value){
 							$cf = configSetting($cf, "maintenance_http_password", $_POST['maintenance_http_password']);
 							$cf = configSetting($cf, "follow_me_button", !empty($_POST['follow_me_button']));
 							$cf = configSetting($cf, "smartypants", !empty($_POST['smartypants']));
+							$cf = configSetting($cf, "https_strict", !empty($_POST['https_strict']));
 							$f  = fopen("inc/config.php", "wt");
 							$fe = "Could not write configuration to <code>config.php</code>, please make sure that it is writable! Often, this is done through giving every system user the write privileges on that file through FTP.";
 							if($f){
@@ -740,11 +741,16 @@ function configSetting($cf, $setting, $value){
 				<div class="field"><input type="checkbox" class="checkbox" name="follow_me_button" id="follow_me_button" checked="checked" /></div>
 				<div class="what">Display a &#8220;Follow me on Twitter&#8221; button on your Tweet Nest page?</div>
 			</div>
-			<div class="input lastinput">
+			<div class="input">
 				<label for="smartypants">SmartyPants</label>
 				<div class="field"><input type="checkbox" class="checkbox" name="smartypants" id="smartypants" checked="checked" /></div>
 				<div class="what">Use <a href="http://daringfireball.net/projects/smartypants/" target="_blank">SmartyPants</a> to perfect punctuation inside tweets? Changes all "straight quotes" to &#8220;curly quotes&#8221; and more.</div>
 			</div>
+			<div class="input lastinput">
+				<label for="https_strict">HTTPS Strict</label>
+				<div class="field"><input type="checkbox" class="checkbox" name="https_strict" id="https_strict" checked="checked" /></div>
+				<div class="what">Enforce to only show inline images (&#8220;thumbnails&#8221;) when they come from HTTPS urls. If you are concerned about <a href="https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content" target="_blank">mixed content</a> (or just want to prevent the warnings from modern browsers), you should check this.</div>
+			</div>
 
 			<h2>Style settings</h2>
 			<div class="note">