The bug
The https://sessionserver.mojang.com/session/minecraft/profile/<uuid> API (see unofficial wiki) uses HTTP instead of HTTPS as protocol for skins and capes:
{
"timestamp": 1531794508246,
"profileId": "c6d461c1f49540c5a475dda1b993490a",
"profileName": "redstonehelper",
"textures": {
"SKIN": {
"url": "http://textures.minecraft.net/texture/2fcdec2b1b135ae6cdd89cabc150ee7f9a27969c046cb1aa52d70011df1ebea0"
},
"CAPE": {
"url": "http://textures.minecraft.net/texture/ae677f7d98ac70a533713518416df4452fe5700365c09cf45d0d156ea9396551"
}
}
}This might be intended to support really old Java versions, see this comment, though the question is if they would really have issues with https://.
Steps to reproduce
Open for example https://sessionserver.mojang.com/session/minecraft/profile/c6d461c1f49540c5a475dda1b993490a in your browser
Copy the Base64 string from the
valuepropertyDecode the Base64 string, for example using https://www.base64decode.org/
❌ Bug: The decoded JSON data containshttp://instead ofhttps://URLs for textures.minecraft.net
Comments 8
Is this still an issue?
I cannot access https://sessionserver.mojang.com/session/minecraft/profile/
Yes this is still the case; I have added a "Steps to reproduce" section to the description to hopefully make it clearer.
From Aar9n discord web request reply:
When you do add the uuid to the url (using the same one in the report) you’ll find it works: https://sessionserver.mojang.com/session/minecraft/profile/c6d461c1f49540c5a475dda1b993490a
The url in the bug report doesn’t work because it’s incomplete, you need to actually look up a player with the session server api or you will get the not found error; the reporter just simply didn’t include the exact player in the url for whatever reason
Have reopened this because despite having been fixed for other endpoints, for this API endpoint the responses still use HTTP URLs.