Uploaded image for project: 'Mojang Web Services'
  1. Mojang Web Services
  2. WEB-1083

sessionserver.mojang.com API provides HTTP skin and cape URLs

XMLWordPrintable

    • 1117290

      The bug

      The https://sessionserver.mojang.com/session/minecraft/profile/<uuid> API (see unofficial wiki) uses HTTP instead of HTTPS as protocol for skins and capes:

      {
    "timestamp": 1531794508246,
    "profileId": "c6d461c1f49540c5a475dda1b993490a",
    "profileName": "redstonehelper",
    "textures": {
        "SKIN": {
            "url": "http://textures.minecraft.net/texture/2fcdec2b1b135ae6cdd89cabc150ee7f9a27969c046cb1aa52d70011df1ebea0"
        },
        "CAPE": {
            "url": "http://textures.minecraft.net/texture/ae677f7d98ac70a533713518416df4452fe5700365c09cf45d0d156ea9396551"
        }
    }
}

      This might be intended to support really old Java versions, see this comment, though the question is if they would really have issues with https://.

      Steps to reproduce

      1. Open for example https://sessionserver.mojang.com/session/minecraft/profile/c6d461c1f49540c5a475dda1b993490a in your browser
      2. Copy the Base64 string from the value property
      3. Decode the Base64 string, for example using https://www.base64decode.org/
        Bug: The decoded JSON data contains http:// instead of https:// URLs for textures.minecraft.net

            mojangweb [Mojang] Web Team
            marcono1234 Marcono1234
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: