Skip to content

Mixed content warnings on newsfeed #2398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2 of 7 tasks
davidmehren opened this issue Aug 25, 2017 · 5 comments
Closed
2 of 7 tasks

Mixed content warnings on newsfeed #2398

davidmehren opened this issue Aug 25, 2017 · 5 comments
Labels
type/question Issue needs no code to be fixed, only a description on how to fix it yourself.
Milestone
1.3.0

Comments

@davidmehren
Copy link

  • Gitea version (or commit ref): 1.2.0+rc1
  • Git version: 2.11.0
  • Operating system: Ubuntu 17.04
  • Database:
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

When using the new 1.2.0 RC1, Chrome complains about mixed content on the "newsfeed" that is shown when a user is logged in.
The user profile picture on the left of each news entry is loaded using a absolute URL and HTTP:

<div class="news">
		<div class="ui left">
			<img class="ui avatar image" src="http://my.domain.net/avatars/3f01fd3bf5ae0bf66baa29afae3aadd4" alt="">
		</div>
...

1.1.2 is using relative URLs:

<div class="news">
		<div class="ui left">
			<img class="ui avatar image" src="/avatars/48b54c558b98d21bb042f4ddf2f9bf7d" alt="">
		</div>
...

Gitea is running behind a nginx reverse proxy which terminates the TLS connection to the clients.

I can not reproduce this on try.gitea.io, because that seems to be using Gravatar for profile pics, which are loaded using HTTPS.
@lunny lunny added the type/bug label Aug 26, 2017
@lunny lunny added this to the 1.3.0 milestone Aug 26, 2017
@lunny
Copy link
Member

lunny commented Aug 26, 2017

@Morlinest maybe you can see this one.

@Morlinest
Copy link
Member

Morlinest commented Aug 26, 2017
edited
Loading

@lunny I hope yes.

I think problem is when you use reverse proxy with Content Security Policy (CSP) protection enabled and serving content from other urls/ports. In NGINX config it looks like this: add_header Content-Security-Policy ....

@davidmehren Did you set your app url (in ini it is ROOT_URL) in gitea to https://my.domain.net?

@lafriks lafriks added type/question Issue needs no code to be fixed, only a description on how to fix it yourself. and removed type/bug labels Aug 28, 2017
@davidmehren
Copy link
Author

davidmehren commented Aug 31, 2017
edited
Loading

Everything is fine again after I changed ROOT_URL from %(PROTOCOL)s://%(DOMAIN)s/ to https://my.domain.net.

I was first confused by this setting, because after I set PROTOCOL to https Gitea refused to start. I then realised that I need to start Gitea in HTTP mode but with an HTTPS URL (Because otherwise it expects a TLS certificate).

@Morlinest Thanks for your advice!

One last question: Why did everything work in Gitea 1.2? Was there a behaviour change in 1.3?

@DerMolly
Copy link

@davidmehren you mean 1.1.2 and 1.1.3, don't you?

@Morlinest
Copy link
Member

@davidmehren You're welcome. I think change from relative to absolute url was done in #1779 + #1820 (new function GetActAvatar was used instead of removed ActAvatar struct value)

@go-gitea go-gitea locked and limited conversation to collaborators Nov 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/question Issue needs no code to be fixed, only a description on how to fix it yourself.
Projects
None yet
Milestone
1.3.0
Development

No branches or pull requests
5 participants
@lunny @lafriks @DerMolly @davidmehren @Morlinest