Data sent to app.amanote.com should be always transferred via HTTPS

The plugin is transmitting sensitive data such as the user token to app.amanote.com. There is no reason why this should not always happen via HTTPS only. I recall we already talked about this in your first plugin mod_amanote and it surprised me to see that there is the same logic there, too.

The problem I can see here is that if the Moodle site is accessed via HTTP, your code downgrades the protocol to contact your app.amanote.com to HTTP too. Why? Some inline comments suggest that it is to avoid the Mixed Content warnings. But that should not be a problem as far as I understand it. The Mixed Content is to prevent HTTP content on an HTTPS site. Why it should be an issue when submitting data from HTTP loaded page to an HTTPS server?

Oh I think I start to recall now - it is because how you load the PDF from Moodle to your site then right? So the Mixed Content problem raises at your site, not in Moodle. Right?

If I recall correctly, my suggestion was that your site could fetch the PDF from the Moodle server and then serve it to the user, rather than having the user’s browser to fetch the PDF.