I have a self-hosted SonarQube instance, behind a proxy.
I want to include the badges on my private GitHub repo's readme.md. This repo is only accessed by individuals behind the proxy so they won't have issues viewing the images.
However, GitHub is converting them to URLs like https://camo.githubusercontent.com/blahblahblah.
These all render as broken images, checking the console camo.githubusercontent.com is returning 404s for my images, presumably because camo can't see the images.
I understand Github does this for reasons of anonymity and caching but it's quite annoying. Searching online reveals a lot of frustration with GitHubs behaviour on this but it's mostly aimed at their excessive caching and the solution seems to be setting headers by the image provider. However, we don't want to expose the images to camo.githubusercontent.com or anyone else.
I have tried adding images using markdown format and <img src=""> but no dice.
How can we get GitHub to serve images that GitHub can't see, but the client can?
Any image that would render in a GitHub README.md file (or other rendered HTML format) will be rendered using camo.  There are several reasons for this.  One is performance: GitHub serves a lot of users, and page load times would be bad if they didn't.  Another is privacy: letting repo owners embed tracking images would be unacceptable.  And finally, there's the DDoS angle: hosting images externally permits a malicious repository owner with a reasonably popular repository to DDoS any site they choose simply by loading one of its images.
There isn't a way to disable camo because it's built into the rendering pipeline.  It isn't specific to Markdown; it will also apply to raw HTML files, AsciiDoc, and anything else that produces HTML.  You can provide some sort of dashboard via a link or use links in some other way, or somehow via a data: URL, but otherwise, as far as images go, if it's rendered as part of file content, it's going to go through camo.
Even if you could somehow trick the rendering pipeline into allowing an unproxied image through, the Content-Security-Policy header would prevent it from being rendered in your browser, and your browser would report it as a security violation to GitHub.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With