mixed content with post preview

[theYinYeti]

My dotclear is served on HTTP by Nginx / php-fpm. However, it is behind an SSL proxy, and when php-fpm is called, these settings are correctly set:

fastcgi_param HTTPS "on";
fastcgi_param SERVER_PORT "443";

Besides, DC_ADMIN_URL is now set to an HTTPS URL in inc/config.php.

Yet, when I want to preview a post, the black-bordered iframe is empty because its URL begins with HTTP instead of HTTPS.

I rate the severity as normal because the feature can still be used by opening the Preview link in a new tab/window (right-click menu).

[franck]

Is your blog URL beginning with HTTPS ? See Blog's parameters.

[franck]

May be fixed by the revisions [2019] and [2020]?

[bruno]

This issue is quite hard to solve : to avoid mixed content, a public adapter needs to be coded on admin side, and it implies lots of code.

Most of the time, you can force mixed content by clicking on a "shield" icon in your address bar.

I keep the issue opened, but it definitely won't be solved in 2.7.x, since it requires a big patch.

[theYinYeti]

Replying to franck:

Is your blog URL beginning with HTTPS ? See Blog's parameters.

Hi! Sorry for the delay in answering. My blog’s URL begins with HTTP, not HTTPS, because I only use HTTPS when using the admin pages (although HTTPS can technically be used also on the other pages).

[theYinYeti]

Replying to franck:

May be fixed by the revisions [2019] and [2020]?

From what I see when following the links, it seems highly unlikely that either of these changeset would solve the issue. For the time being, I’ll tell Firefox to just allow mixed content on my site, as suggested by bruno (thanks!)

[franck]

In next 2.9, post preview will be opened in another tab/window if the admin is served over HTTPS and not the blog, in order to avoid mixed content and blank iframe.