Mojira Archive
WEB-1083

sessionserver.mojang.com API provides HTTP skin and cape URLs

The bug

The https://sessionserver.mojang.com/session/minecraft/profile/<uuid> API (see unofficial wiki) uses HTTP instead of HTTPS as protocol for skins and capes:

{
    "timestamp": 1531794508246,
    "profileId": "c6d461c1f49540c5a475dda1b993490a",
    "profileName": "redstonehelper",
    "textures": {
        "SKIN": {
            "url": "http://textures.minecraft.net/texture/2fcdec2b1b135ae6cdd89cabc150ee7f9a27969c046cb1aa52d70011df1ebea0"
        },
        "CAPE": {
            "url": "http://textures.minecraft.net/texture/ae677f7d98ac70a533713518416df4452fe5700365c09cf45d0d156ea9396551"
        }
    }
}

This might be intended to support really old Java versions, see this comment, though the question is if they would really have issues with https://.

Steps to reproduce

  1. Open for example https://sessionserver.mojang.com/session/minecraft/profile/c6d461c1f49540c5a475dda1b993490a in your browser
  2. Copy the Base64 string from the value property
  3. Decode the Base64 string, for example using https://www.base64decode.org/
    Bug: The decoded JSON data contains http:// instead of https:// URLs for textures.minecraft.net

Unresolved

Marcono1234

[Mojang] Web Team

2018-07-17, 02:36 AM

2024-01-07, 06:09 PM

1

5

1117290

cape, http, https, skin