SSO blocked loading mixed active


(Richard Phillips) #1

I have Discourse SSO working well.

My discourse is set up to ‘use https’ and is behind an nginx proxy which listens on 443, proxying through to the Discourse container which listens on port 80.

I am experimenting with my discourse in an iFrame (yes, know all the reasons why not - but am trying it for edge case…) and am having trouble with 'Blocked Loading Mixed Active Content errors preventing Discourse loading.

Looking carefully at the sequence of calls, Discourse successfully negotiates the SSO handshake, returning a /session/sso

This includes a Location header so without https. I think this is what is causing the problem. Outside the iFrame, this seems to be succesfully redirected to the https version of the site - whereas in the iFrame it results in an error rather than a succesfull redirect.

So my question is whether this is a bug - surely Discourse SSO should honour the ‘use https’ setting and set the Location header accordingly…

Does that make sense or am I just missing something important here! (As far as I can see, all content is otherwise being served by https just fine)