zulip/docs/subsystems/thumbnailing.md

# Thumbnailing

There are two key places one would naturally want to thumbnail images
in a team chat application like Zulip:

* On the server-side, when serving inline image and URL previews in
  the bodies of messages.  This is very important for Zulip's network
  performance of low-bandwidth networks.
* In mobile apps, to avoid uploading full-size images on a mobile
  network (which Zulip does not yet implement),

Our server-side thumbnailing system is powered by [thumbor][], a
popular open source server for serving images and thumbnailing them.

Thumbor is responsible for a few things in Zulip:

* Serving all image content over HTTPS, even if the original/upstream
  image was hosted on HTTP (this was previously done by `camo` in
  older versions of Zulip; the `THUMBOR_SERVES_CAMO` setting controls
  whether Thumbor will serve the old-style Camo URLs that might be
  present in old messages).  This is important to avoid mixed-content
  warnings from browsers (which look very bad), and does have some
  real security benefit in protecting our users from malicious
  content.
* Minimizing potentially unnecessary bandwidth that might be used in
  communication between the Zulip server and clients.  Before we
  introduced this feature, uploading large photos could result in a
  bad experience for users with a slow network connection.

Thumbor handles a lot of details for us, varying from signing of
thumbnailing URLs, to caching for DoS prevention.

It is configured via the `THUMBOR_URL` and `THUMBNAIL_IMAGES` settings in
`/etc/zulip/settings.py`; you can host Thumbor on the same machine as
the Zulip server, or a remote server (which is better for isolation,
since security bugs in image-processing libraries have in the past
been a common attack vector).

The thumbnailing system is used for any images that appear in the
bodies of Zulip messages (i.e. both images linked to by users, as well
as uploaded image files.).  We exclude a few special image sources
(e.g. youtube stills) only because they are already thumbnailed.

For uploaded image files, we enforce the same security policy on
thumbnail URLs that we do for the uploaded files themselves.

A correct client implementation interacting with the thumbnailing
system should do the following:

* For serving the thumbnailed to 100px height version of images,
  nothing special is required; the client just needs to display the
  `src=` value in the `<img>` tag in the rendered message HTML.
* For displaying a "full-size" version of an image (e.g. to use in a
  lightbox), the client can access the `data-fullsize-src` attribute
  on the `<img>` tag; this will contain the URL for a full-size
  version.
* Ideally, when clicking on an image to switch from the thumbnail to
  the full-size / lightbox size, the client should immediately display
  the thumbnailed (low resolution) version and in parallel fetch the
  full-size version in the background, transparently swapping it into
  place once the full size version is available.  This provides a
  slick user experience where the user doesn't see a loading state,
  and instead just sees the image focus a few hundred milliseconds
  after clicking the image.

## URL design

The raw Thumbor URLs are ugly, and regardless, have the property that
we might want to change them over time (a classic case is if one moves
the thumbor installation to be hosted by a different server).  In
order to avoid encoding these into Zulip messages, we encode in the
[HTML rendered message content](../subsystems/markdown.html) URLs of
the form
`/thumbnail/?url=https://example.com/image.png&size=thumbnail` as the
`src` in our image tags, and that URL serves a
(configuration-dependent) redirect to the actual image hosted on
thumbor.


## Avatars, realm icons, and custom emoji

Currently, these user-uploaded content are thumbnailed by Zulip's
internal file-upload code, in part because they change rarely and
don't have the same throughput/performance requirements as
user-uploaded files.  We may later convert them to use thumbor as
well.

[thumbor]: https://github.com/thumbor/thumbor
docs: Add some basic subsystem documentation for thumbnailing. 2018-07-30 22:16:26 +02:00			`# Thumbnailing`

			`There are two key places one would naturally want to thumbnail images`
			`in a team chat application like Zulip:`

			`* On the server-side, when serving inline image and URL previews in`
			`the bodies of messages. This is very important for Zulip's network`
			`performance of low-bandwidth networks.`
			`* In mobile apps, to avoid uploading full-size images on a mobile`
			`network (which Zulip does not yet implement),`

			`Our server-side thumbnailing system is powered by [thumbor][], a`
			`popular open source server for serving images and thumbnailing them.`

			`Thumbor is responsible for a few things in Zulip:`

			`* Serving all image content over HTTPS, even if the original/upstream`
			image was hosted on HTTP (this was previously done by `camo` in
camo: Add endpoint to handle camo requests. This endpoint serves requests which might originate from an image preview link which had an http url and the message holding the image link was rendered before we introduced thumbnailing. In that case we would have used a camo proxy to proxy http content over https and avoid mix content warnings. In near future, we plan to drop use of camo and just rely on thumbor to serve such images. This endpoint helps maintain backward compatibility for links which were already rendered. 2018-12-17 17:27:05 +01:00			older versions of Zulip; the `THUMBOR_SERVES_CAMO` setting controls
			`whether Thumbor will serve the old-style Camo URLs that might be`
			`present in old messages). This is important to avoid mixed-content`
docs: Add some basic subsystem documentation for thumbnailing. 2018-07-30 22:16:26 +02:00			`warnings from browsers (which look very bad), and does have some`
			`real security benefit in protecting our users from malicious`
			`content.`
			`* Minimizing potentially unnecessary bandwidth that might be used in`
			`communication between the Zulip server and clients. Before we`
docs: Clean up the new thumbnailing docs. 2018-07-30 22:36:24 +02:00			`introduced this feature, uploading large photos could result in a`
			`bad experience for users with a slow network connection.`
docs: Add some basic subsystem documentation for thumbnailing. 2018-07-30 22:16:26 +02:00
			`Thumbor handles a lot of details for us, varying from signing of`
			`thumbnailing URLs, to caching for DoS prevention.`

thumbnails: Add setting THUMBNAIL_IMAGES. This setting splits away part of responsibility from THUMBOR_URL. Now on, this setting will be responsible for controlling whether we thumbnail images or not by asking bugdown to render image links to hit our /thumbnail endpoint. This is irrespective of what THUMBOR_URL is set to though ideally THUMBOR_URL should be set to point to a running thumbor instance. 2019-01-04 16:22:04 +01:00			It is configured via the `THUMBOR_URL` and `THUMBNAIL_IMAGES` settings in
docs: Add some basic subsystem documentation for thumbnailing. 2018-07-30 22:16:26 +02:00			`/etc/zulip/settings.py`; you can host Thumbor on the same machine as
			`the Zulip server, or a remote server (which is better for isolation,`
			`since security bugs in image-processing libraries have in the past`
			`been a common attack vector).`

			`The thumbnailing system is used for any images that appear in the`
			`bodies of Zulip messages (i.e. both images linked to by users, as well`
			`as uploaded image files.). We exclude a few special image sources`
			`(e.g. youtube stills) only because they are already thumbnailed.`

			`For uploaded image files, we enforce the same security policy on`
			`thumbnail URLs that we do for the uploaded files themselves.`

			`A correct client implementation interacting with the thumbnailing`
			`system should do the following:`

			`* For serving the thumbnailed to 100px height version of images,`
			`nothing special is required; the client just needs to display the`
			`src=` value in the `<img>` tag in the rendered message HTML.
			`* For displaying a "full-size" version of an image (e.g. to use in a`
			lightbox), the client can access the `data-fullsize-src` attribute
			on the `<img>` tag; this will contain the URL for a full-size
			`version.`
			`* Ideally, when clicking on an image to switch from the thumbnail to`
			`the full-size / lightbox size, the client should immediately display`
			`the thumbnailed (low resolution) version and in parallel fetch the`
			`full-size version in the background, transparently swapping it into`
			`place once the full size version is available. This provides a`
			`slick user experience where the user doesn't see a loading state,`
			`and instead just sees the image focus a few hundred milliseconds`
			`after clicking the image.`

docs: Clean up the new thumbnailing docs. 2018-07-30 22:36:24 +02:00			`## URL design`

			`The raw Thumbor URLs are ugly, and regardless, have the property that`
			`we might want to change them over time (a classic case is if one moves`
			`the thumbor installation to be hosted by a different server). In`
			`order to avoid encoding these into Zulip messages, we encode in the`
Revert "docs: Update .html links to .md." This doesn't work without the CommonMark upgrade. This reverts commit c87893feeacaa78315ffc72510afe8e92477f4e8. 2019-04-06 02:58:44 +02:00			`[HTML rendered message content](../subsystems/markdown.html) URLs of`
docs: Clean up the new thumbnailing docs. 2018-07-30 22:36:24 +02:00			`the form`
			`/thumbnail/?url=https://example.com/image.png&size=thumbnail` as the
			`src` in our image tags, and that URL serves a
			`(configuration-dependent) redirect to the actual image hosted on`
			`thumbor.`

docs: Add some basic subsystem documentation for thumbnailing. 2018-07-30 22:16:26 +02:00
			`## Avatars, realm icons, and custom emoji`

			`Currently, these user-uploaded content are thumbnailed by Zulip's`
			`internal file-upload code, in part because they change rarely and`
			`don't have the same throughput/performance requirements as`
			`user-uploaded files. We may later convert them to use thumbor as`
			`well.`

			`[thumbor]: https://github.com/thumbor/thumbor`