Minor Image SRC Issue – Images Loading from Author Site

Hi Oren,

First off, I want to say that this is a great plugin. It’s been extremely handy.

I just wanted to send a friendly heads up about a minor plugin developer guidelines violation/issue. (It’s always possible that I’m interpreting the rules differently than the mods/plugin team, but that’s how it seems to me at least.)

It seems innocent enough, and I definitely don’t think it was intentional – for example, in the past we have seen a similar issue in plugins for paypal.com or amazon AWS images.

The violation is: Plugin Developer Guidelines / Rule 7 / bullet point 3: “Images and scripts should be loaded locally as part of the plugin whenever possible. If external data (such as blocklists) is required, their inclusion must be made clear to the user.”

There are a few images that the plugin is trying to load from the author website. These images should really be included in the plugin package. We use Content Security Policy rules on our sites to prevent images loading from untrusted domains, so nothing is loading improperly on our sites, but I thought I should mention it. Technically it could be used to track user activity without their knowledge, and in specific cases could be used to compromise security (for example if a MitM attack was executed).

File oh-add-script-header-footer/oh-settings-page.php / Line 246:

<img src='//sogo.co.il/WPADS/720-90.jpg' alt='Sogo Web Development'/>

File oh-header-footer-metabox.php / Lines 26,64,92 :

src='//sogo.co.il/WPADS/300-250.jpg'

Thanks for taking the time to look into this and fix the issue. Keep up the good work ??

— Scott