Allow the use of Secure Gravatar (SSL) to avoid mixed content warnings

Issue #484 invalid
Arsène von Wyss created an issue

Many browsers warn the user when he is browsing a secure site which also requests non-secure content. When using RhodeCode over SSL, such warnings appear because of the request to the user Gravatar.

Using (either optionally or always) would solve this.

Comments (4)

  1. Marcin Kuzminski repo owner

    That is the case right now, rhodecode detects, if ssl is used by checking 'wsgi.url_scheme' if it's https it will use secure gravatars.

    I don't know how do you serve rhodecode with SSL, but you can try out force_https in .ini file to make that work anyway.

  2. Arsène von Wyss reporter

    For various reasons we are using RhodeCode behind a reverse proxy; the proxy has the certificate and accepts the SSL calls. I changed the clone_uri scheme to match the reverse proxy and everything seemed fine but the issue with the Gravatars.

    With force_https set to true the Gravatar issue is indeed solved, but direct access to the backend server via non-secured connection now obviously gets the wrong protocol in redirects. I tried having the proxy set the HTTP_X_URL_SCHEME header but this doesn't work yet (not sure where - will investigate).

  3. Arsène von Wyss reporter

    Thanks... I was setting the header literally named HTTP_X_URL_SCHEME and that of course didn't work. All is fine now with the header X-Url-Scheme, thanks a lot!

  4. Log in to comment