Nugetgallery: Proxy package icons that are not served over SSL

Building a port of https://github.com/atmos/camo/blob/master/README.md

Port completed - https://github.com/maartenba/CamoDotNet
We can use this if/when we decide to implement this improvement.

+1

If still needed, CamoDotNet is still out there :-)

Wouldn't #1074 cover this? If images are brought in and hosed by NuGet (I'm not sure why https://github.com/NuGet/NuGetGallery/issues/14 was closed?) 3 issues could be solved at once:

• Mixed Content (this one, #2613)
• HTTP/HTTPS Package Icons (#2899)
• Allow Image uploading (#1074)

I'd propose that NuGet simply grabs and re-hosts the image when a package is uploaded (this wouldn't be hard to backfill as well). This of course only happens if the URL is valid. Having an on-site way for the owner to replace the image isn't crazy either.

This also prevents leaking search data to other domains, which is currently the case for any https:// icons. The referer header is being sent to those packages, allowing them to see which searches hit their package. I'm not sure if that's a concern or not, but seeing all the IPs, etc. of users hitting NuGet.org I wouldn't think is intentional.

Thoughts?

We started work on having icons inside the NuGet package: https://github.com/NuGet/Home/wiki/Packaging-Icon-within-the-nupkg
Since icon url will be deprecated, insecure icon URLs will not be a problem in the future. As part of the work we will also secure icons for existing packages. More details will be shared as we work on the design.
//cc: @agr , @zivkan

@skofman1 How is this work progressing? Browsers are starting to complain more and more about mixed mode served content as it's clearly a security risk for MITM attacks.

I.e. Microsoft WindowsAzure.Storage gravatar

is served over http ( http://www.gravatar.com/avatar/425be63bdaaeeffd26d0172ed2030198.png )

making browsers grumpy.

@devlead , work is starting now.

This is done. All icons are served from nuget.org's cache. Gravatar images are proxied by nuget.org.