If you have a piece of pdf content hosted* on a non-ssl site and
the ssl version of the site gives a ssl error (e.g. err_ssl_unrecognized_name_alert), and
you copy your link into a onebox-enabled site (e.g. discourse, I think, but I was using thredded: see thredded/thredded#682, I’ve also validated that this occurs in the current master of onebox with rake server).
I would expect it to either retrieve the pdf correctly and onebox it, or
attempt to retrieve it by https and fail and then just present a non-oneboxed link, or
(worst case) just show a onebox failure
it throws an error (to be caught or not by the webapp using onebox).
So I think the conversion of http -> https is by design
always_https in onebox/pdf_onebox.rb at 6b5b53b26e7bb36b9e3e6cedce5db9172692c851 · discourse/onebox · GitHub – to prevent mixed content errors.
However then I think onebox ought to deal with the https failure.
Not 100% sure how to proceed (I guess it’s possible to create a test case, it’s just a bit complicated).