From fb1bce5a8a6433277ea17b41e576877be1507fe9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ky=E2=84=93e=20Hensel?= <k-yle@users.noreply.github.com>
Date: Sat, 22 Feb 2025 19:42:04 +1100
Subject: [PATCH] Always use HTTPS to load Bing Streetside images (#10798)

---
 CHANGELOG.md                   | 2 ++
 modules/services/streetside.js | 6 +++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bdff6cc2e..224899d8d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -48,6 +48,7 @@ _Breaking developer changes, which may affect downstream projects or sites that
 * Fix splitting of closed ways (or areas) when two or more split-points are selected
 * Keep `red_turn:left/right` tags unchanged when reversing a way ([#10737], thanks [@burrscurr])
 #### :camera: Street-Level
+* Always use HTTPS to load Bing Streetside images ([#10798], thanks [@k-yle])
 #### :white_check_mark: Validation
 * Add warning if aeroways cross each other, buildings or highways ([#9315], thanks [@k-yle])
 * Warn when a way with more than the maximum allowed number of nodes is to be uploaded and provide a way to fix it ([#7381])
@@ -96,6 +97,7 @@ _Breaking developer changes, which may affect downstream projects or sites that
 [#10766]: https://github.com/openstreetmap/iD/pull/10766
 [#10776]: https://github.com/openstreetmap/iD/issues/10776
 [#10778]: https://github.com/openstreetmap/iD/issues/10778
+[#10798]: https://github.com/openstreetmap/iD/pull/10798
 [@hlfan]: https://github.com/hlfan
 [@Deeptanshu-sankhwar]: https://github.com/Deeptanshu-sankhwar
 [@draunger]: https://github.com/draunger
diff --git a/modules/services/streetside.js b/modules/services/streetside.js
index 7f4893948..dfa9073be 100644
--- a/modules/services/streetside.js
+++ b/modules/services/streetside.js
@@ -122,9 +122,9 @@ function loadNextTilePage(which, url, tile) {
       const d = {
         loc: loc,
         key: bubbleId,
-        imageUrl: bubble.imageUrl.replace('{subdomain}',
-          bubble.imageUrlSubdomains[0]
-        ),
+        imageUrl: bubble.imageUrl
+          .replace('{subdomain}', bubble.imageUrlSubdomains[0])
+          .replace(/^http:/, 'https:'), // always use HTTPS (see #10797)
         ca: bubble.he || bubble.heading,
         captured_at: bubble.vintageEnd,
         captured_by: 'microsoft',