Mixed content error in admin of secure site

[AAD Web Team]

Hi,

We're having a problem with the long-click 'View' option (in the page tree) that previews a page in a modal window.

It's a secure site (https://scarcomnap2020.antarctica.gov.au/), but it seems that when a page is loaded within the modal window it's using http instead of https. This is causing an error due to the mixed content (the Firefox web console says: 'Blocked loading mixed active content “http://scarcomnap2020.antarctica.gov.au/venues/?modal=1”').

The consequence is that nothing loads - just a modal window with a spinning graphic in the middle.

The same thing happens if you choose View > Panel or View > Modal Popup from the View menu when editing a page.

Additionally, we're having a similar issue within ProDrafts - the option to view the draft or published versions of the page works fine, but when you click the 'Both' option, you end up with a blank split screen.

The source code on this blank splitscreen reveals that the http protocol is being used in this case too:

<body class='ProcessProDraftsViewBoth'>	
	<iframe id='pwpd-draft' class="pane ui-layout-west" src='http://scarcomnap2020.antarctica.gov.au/venues/?draft=1'></iframe>
  	<iframe id='pwpd-published' class="pane ui-layout-center" src='http://scarcomnap2020.antarctica.gov.au/venues/'></iframe>
</body>

We're wondering if this choice of the http protocol is something that is hard-coded in somewhere, or if there is a configuration we might have messed up or missed. Any ideas? Everything else appears to be working fine.

We're running PW 3.0.98 and ProDrafts 6c.

(I noticed the issue because I'm preparing to train our first editor by writing some documentation).

Thanks!

Margaret

Edited November 7, 2018 by AAD Web Team
The code sample I used was from the wrong bit!

[Robin S]

I can't reproduce that on my secure sites - for me the panel and modal load pages over HTTPS.

Normally for an HTTPS-only site you would enable the HTTPS redirection in .htaccess:
https://github.com/processwire/processwire/blob/341342dc5b1c58012ae7cb26cffe2c57cd915552/htaccess.txt#L91-L95

So that would be something to check.

[cstevensjr]

I would also make sure that on all your templates, you have set to HTTPS Only (SSL encrypted).  I do this for even the System Templates

[AAD Web Team]

22 hours ago, Robin S said:

I can't reproduce that on my secure sites - for me the panel and modal load pages over HTTPS.

Normally for an HTTPS-only site you would enable the HTTPS redirection in .htaccess:
https://github.com/processwire/processwire/blob/341342dc5b1c58012ae7cb26cffe2c57cd915552/htaccess.txt#L91-L95

So that would be something to check.

We're using nginx rather than Apache, so we don't actually have an .htaccess file, but I'll get our web manager to double-check the equivalent settings.

[AAD Web Team]

20 hours ago, cstevensjr said:

I would also make sure that on all your templates, you have set to HTTPS Only (SSL encrypted).  I do this for even the System Templates

Thanks for this suggestion. Unfortunately doing this stops our existing http redirect from working (normally if you type in http://scarcomnap2020.antarctica.gov.au you are taken to the https version).

[AAD Web Team]

I've had a dig around in the Wire directory... I've made some changes that have fixed the issue, but obviously that's not ideal as a long-term fix. Anyway, it seems to all relate back to the httpURL method.

In ProcessPageEdit.module I've changed this line:

$url = $this->page->url(); // was previously $url = $this->page->httpUrl();

This fixes the View > Panel and View > Modal popup options from the Edit screen.

In ProcessPageListActions.php I've changed one line in this section:

if($page->viewable()) $actions['view'] = array(
	'cn' => 'View',
	'name' => $this->actionLabels['view'],
	'url' => $page->url // was previously 'url' => $page->httpUrl
);

This fixes the long-click View button in the page tree.

I've also made a change within the ProDrafts module file, once again telling it to use $page->url instead of $page->httpUrl, but I won't go into detail about that here in the general forum. That has fixed the View both option in any case.

So this is great as a temporary fix, but I have no idea whether there could be any wider implications... Any thoughts @ryan? I'd hate to break something else. I'm also stumped as to why the httpUrl method is opting to output http instead of https in just these instances.