Details
-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
1.10.3
-
None
-
Unknown
-
Description
Using xwiki over https (nginx proxy), I get a mixed content error on XWiki login page.
Mixed Content: The page at 'https://XXXXXXXXX/bin/loginsubmit/XWiki/XWikiLogin' was loaded over HTTPS, but requested an insecure stylesheet 'http://XXXXXXXXX/bin/login/XWiki/XWikiLogin?xredirect=%2Fbin%2Fview%2FXWiki%2F%2524escapetool.xml%2528%2524ssxHref%2529'. This request has been blocked; the content must be served over HTTPS.
It seems that the stylesheet reference injected by the number heading application uses http on the login page. Probably because the href value is invalid:
<link rel='stylesheet' type='text/css' href="$escapetool.xml($ssxHref)"/>
It seems that velocity variables are not properly replaced by their content.
I was able to trace it back to the "NumberHeading" page code, where "$origdoc" can be null for logged out users, leading to a null "$ssxHref". I was able to fix it by adding a conditional statement:
{{velocity}}
#set($isNumberedHeadingsEnabled = $services.numbered.headings.isNumberedHeadingsEnabled())
#set ($origdoc = $xwiki.getDocument('NumberedHeadings.Code.NumberedHeadings'))
#set ($locale = $services.localization.getCurrentLocale())
#set($ssxHref = $origdoc.getURL('ssx', $escapetool.url({
'isNumberedHeadingsEnabled': $isNumberedHeadingsEnabled,
'locale': $services.localization.getCurrentLocale(),
'docVersion': $origdoc.getVersion()
})))
#set ($discard = $services.numbered.common.insertCSS($locale))
#if ( $ssxHref )
{{html clean='false'}}
<link rel='stylesheet' type='text/css' href="$escapetool.xml($ssxHref)"/>
{{/html}}
#end
{{/velocity}}