Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Running HTTPS, getting mixed content

alastcalastc New
edited September 2012 in Vanilla 2.0 - 2.8

I've just switched my whole site to SSL, and I'm getting mixed content warning due to the profile pictures.

It looks like something wrong in library/core/functions.render around line 178, but I'm not sure it's a good idea to change that.

Does anyone know how to get around this, e.g. is there a safe way to override that function?

I've tried adjusting some of the config options, but it hasn't helped and I can't find much documentation on that.





  • Anyone? I've re-installed Vanilla whilst under SSL and it is still putting images as http.

    Is there a way of forcing it to use https?


  • x00x00 MVP
    edited October 2012

    This is a general problem rather then specifically vanilla, sometimes it just isn't viable to be able to control every aspect of your site to totally eliminate, these errors. What tend to happen is that you clear most of the pages and resources, then you want some feature, like external feed service, and either they don't have https address or the url has been hard coded. it is an exercise in chasing your tail, just to get superfluous errors to go away. Safari is the only browser that get it right with these errors.

    Apart from anything else what if there is user contributed content that isn't via a secure source? how do you expect them to know, it isn't realistic to try an control these error on a public contributed site. What you should do is be smart in secure the areas that mater like entry, which you would do through specific server rules.

    When people put their whole site under ssl, often it is for confidence reasons rather then anything else.

    grep is your friend.

  • My question is very specifically about Vanilla, there is code in core that is supposed to notice when it is https and output files appropriately.

    I understand the issue with linking to external non-secure content, but that happens far less often than showing profile pictures! I will deal with that separately.
    When you have things like Firesheep around, only securing certain areas is a false sense of security (

    Giving it some further thought, I wonder if the Vanilla code that checks for HTTPS is not activating because it's running on behind an nginx proxy?

  • x00x00 MVP
    edited October 2012

    sorry I didn’t read the post correctly the first time we are on the same page.

    note you can create the function UserPhotoDefaultUrl it gets passed the the $User object.

    you could put it in themehooks file or conf/boostrap.after.php

    grep is your friend.

  • Thanks, that's really useful I'll give it a go.

  • I'm not having much luck with this, when I replicate the UserPhotoDefault function in /conf/bootstrap.after.php it doesn't produce the same URL, even though I haven't changed the function (yet).

    E.g. without a bootstrap.after the URL is

    With the bootstrap.after and a copy of the function, it becomes:

    Are there any other approaches I could use? (I also couldn't see how to over-ride the function using themehooks, but that could be me.)

  • Did you ever have any luck solving this issue? I'm having the same problem and not getting anywhere.

Sign In or Register to comment.