Do we have a security issue?

Configuration
1 
The page at https:/mydomain.duckdns.org:port/lovelace/summary_groups was allowed to display insecure content from http://img.youtube.com/vi/L4QC4eyE4NU/sddefault.jpg.

above is inspector in Mac Safari

Crome shows:

Mixed Content: The page at 'https://mydomain.duckdns.org:port/lovelace/summary_groups' was loaded over HTTPS, but requested an insecure image 'http://img.youtube.com/vi/L4QC4eyE4NU/sddefault.jpg'. This content should also be served over HTTPS.

While I have no pointer at all at any external source…

I have never seen this before, but am quite amazed to see this happen. Do we have a security issue here?

2

have you been watching any apple dev stuff.

image
image675×536 39.1 KB

i have checked and i don’t see anything going out to that page from my instance.

3

haha, I have seen this picture before, dont remember if it was on Facebook or in Browser…

still, why would HA show this to happen? It really shouldn’t…

4

no idea, but i am not seeing it on my instance so i would be checking yours to see if there is an issue on that lovelace tab (summary_groups). maybe a custom card or something is loading it

5

i have found the card that is causing it, and it consists of several fold-entity-rows, using auto-entities cards like this:

type: entities
title: Summary groups
show_header_toggle: false
entities:
  - type: custom:fold-entity-row
    head:
      type: section
      label: Family home
    entities:
      - type: custom:auto-entities
        card:
          type: entities
          style: |
            ha-card {
              box-shadow: none;
              margin: 0px -16px 0px -36px;
              }
          show_header_toggle: false
        filter:
          include:
            - group: group.family_home
              options:
                secondary_info: last-changed

  - type: custom:fold-entity-row
    head:
      type: section
      label: Hubs binary pinged
    entities:
      - type: custom:auto-entities
        card:
          type: entities
          style: |
            ha-card {
              box-shadow: none;
              margin: 0px -16px 0px -36px;
              }
#          show_header_toggle: false
        filter:
          include:
            - group: group.hubs_binary_pinged
              options:
                secondary_info: last-changed

tbh, I am experiencing several oddities after having updated the latest card-tools card, after which I have taken that out if the config. I seem to only miss out on the card-tools using the secondaryinfo-entity-row card. But now see this happening too.

Ill check by re-instating card-tools, and see what happens.

edit
before re-instating card-tools, I found this to be the culprit:

  - type: custom:fold-entity-row
    head:
      type: section
      label: Media players
    entities:
      - type: custom:auto-entities
        card:
          type: entities
          style: |
            ha-card {
              box-shadow: none;
              margin: 0px -16px 0px -36px;
              }
        filter:
          include:
            - group: group.media_players
          exclude:
            - state: unavailable

And I do think, I did check the Apple Conf app on one of my Apple tv’s. Apparently, checking the media_players, causes this top happen…

and re-instating card-tools doesnt make this go away. Only show the other oddities again :wink:
Think Ill have to file an issue with Thomas on either fold-entity-row, or auto-entities. Will start with the latter.

6

Copied from my GitHub response
This is unrelated to auto-entities. If you have a plain entity card, it will still show up.
Basically it gives you the art for the current playing thing, and when the media player API asked for the art, it gave a http URL.

7

Should be fixed in the latest update.

8

In fairness anything that attracts an audience in the volume like HA does is bound to attract unwanted attention. HA is knocking the socks off the competition.