Link images from drupalcode.org

Seems to be using this module: https://www.drupal.org/project/filter_html_image_secure →

Based on this variable_get line https://git.drupalcode.org/project/filter_html_image_secure/-/blob/7.x-1..., it should be a relatively easy change, we can add git.drupalcode.org to the list of domains.

It's actually in the settings.php file.

We could do something like this:

$conf['filter_html_image_secure_domains'] = array(
  'drupal.org',
  'www.drupal.org',
  'git.drupalcode.org'
);

Thank you for looking into this.

The badge seems to be on drupalcode.org not on git.drupalcode.org. See https://git.drupalcode.org/project/track_usage/-/raw/1.x/README.md. That is the README where I can link the badge.

I updated my previous suggestion based on that. Thanks.

I cannot test but looking at the module code and proposed changes in settings.php seems to be what we need

filter_html_image_secure actually verifies that the images are indeed images in the filesystem: https://git.drupalcode.org/project/filter_html_image_secure/-/blob/7.x-1...

This prevented <img src="/user/logout"> from actually logging you out, even though it could be a valid, local image. So filter_html_image_secure_domains can only be domains the Drupal site itself is accessible from.

Modern browser protections, and GitLab paying attention to security, should make cross-site request forgery less of a concern. Although we do have some CORS allowances for trusting requests originating from www.drupal.org. The chances of this being part of an exploit are low, but not zero.

Given that we do show the pipeline result for dev releases shown on the project page, this would likely require code changes to filter_html_image_secure, and it has potential to be a security concern, I think it will be best to re-evaluate this after project pages have been migrated to the modern Drupal site.