github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-09 21:10:00 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Mixed content warnings on newsfeed #1001

New Issue
Closed
opened 2025-11-02 03:44:49 -06:00 by GiteaMirror · 5 comments
GiteaMirror commented 2025-11-02 03:44:49 -06:00
Owner
Copy Link

Originally created by @davidmehren on GitHub (Aug 25, 2017).

  • Gitea version (or commit ref): 1.2.0+rc1
  • Git version: 2.11.0
  • Operating system: Ubuntu 17.04
  • Database:
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

When using the new 1.2.0 RC1, Chrome complains about mixed content on the "newsfeed" that is shown when a user is logged in.
The user profile picture on the left of each news entry is loaded using a absolute URL and HTTP:

<div class="news">
		<div class="ui left">
			<img class="ui avatar image" src="http://my.domain.net/avatars/3f01fd3bf5ae0bf66baa29afae3aadd4" alt="">
		</div>
...

1.1.2 is using relative URLs:

<div class="news">
		<div class="ui left">
			<img class="ui avatar image" src="/avatars/48b54c558b98d21bb042f4ddf2f9bf7d" alt="">
		</div>
...

Gitea is running behind a nginx reverse proxy which terminates the TLS connection to the clients.

I can not reproduce this on try.gitea.io, because that seems to be using Gravatar for profile pics, which are loaded using HTTPS.

Originally created by @davidmehren on GitHub (Aug 25, 2017). - Gitea version (or commit ref): 1.2.0+rc1 - Git version: 2.11.0 - Operating system: Ubuntu 17.04 - Database: - [ ] PostgreSQL - [x] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [x] No - [ ] Not relevant - Log gist: ## Description When using the new 1.2.0 RC1, Chrome complains about mixed content on the "newsfeed" that is shown when a user is logged in. The user profile picture on the left of each news entry is loaded using a absolute URL and HTTP: ```html <div class="news"> <div class="ui left"> <img class="ui avatar image" src="http://my.domain.net/avatars/3f01fd3bf5ae0bf66baa29afae3aadd4" alt=""> </div> ... ``` 1.1.2 is using relative URLs: ```html <div class="news"> <div class="ui left"> <img class="ui avatar image" src="/avatars/48b54c558b98d21bb042f4ddf2f9bf7d" alt=""> </div> ... ``` Gitea is running behind a nginx reverse proxy which terminates the TLS connection to the clients. I can not reproduce this on try.gitea.io, because that seems to be using Gravatar for profile pics, which are loaded using HTTPS.
GiteaMirror added the type/question label 2025-11-02 03:44:50 -06:00
GiteaMirror commented 2025-11-02 03:44:51 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Aug 26, 2017):

@Morlinest maybe you can see this one.

@lunny commented on GitHub (Aug 26, 2017): @Morlinest maybe you can see this one.
GiteaMirror commented 2025-11-02 03:44:51 -06:00
Author
Owner
Copy Link

@Morlinest commented on GitHub (Aug 26, 2017):

@lunny I hope yes.

I think problem is when you use reverse proxy with Content Security Policy (CSP) protection enabled and serving content from other urls/ports. In NGINX config it looks like this: add_header Content-Security-Policy ....

@davidmehren Did you set your app url (in ini it is ROOT_URL) in gitea to https://my.domain.net?

@Morlinest commented on GitHub (Aug 26, 2017): @lunny I hope yes. I think problem is when you use reverse proxy with `Content Security Policy (CSP)` protection enabled and serving content from other urls/ports. In NGINX config it looks like this: `add_header Content-Security-Policy ...`. @davidmehren Did you set your `app url` (in ini it is `ROOT_URL`) in gitea to `https://my.domain.net`?
GiteaMirror commented 2025-11-02 03:44:51 -06:00
Author
Owner
Copy Link

@davidmehren commented on GitHub (Aug 31, 2017):

Everything is fine again after I changed ROOT_URL from %(PROTOCOL)s://%(DOMAIN)s/ to https://my.domain.net.

I was first confused by this setting, because after I set PROTOCOL to https Gitea refused to start. I then realised that I need to start Gitea in HTTP mode but with an HTTPS URL (Because otherwise it expects a TLS certificate).

@Morlinest Thanks for your advice!

One last question: Why did everything work in Gitea 1.2? Was there a behaviour change in 1.3?

@davidmehren commented on GitHub (Aug 31, 2017): Everything is fine again after I changed `ROOT_URL` from `%(PROTOCOL)s://%(DOMAIN)s/` to `https://my.domain.net`. I was first confused by this setting, because after I set `PROTOCOL` to `https` Gitea refused to start. I then realised that I need to start Gitea in HTTP mode but with an HTTPS URL (Because otherwise it expects a TLS certificate). @Morlinest Thanks for your advice! One last question: Why did everything work in Gitea 1.2? Was there a behaviour change in 1.3?
GiteaMirror commented 2025-11-02 03:44:51 -06:00
Author
Owner
Copy Link

@DerMolly commented on GitHub (Aug 31, 2017):

@davidmehren you mean 1.1.2 and 1.1.3, don't you?

@DerMolly commented on GitHub (Aug 31, 2017): @davidmehren you mean 1.1.2 and 1.1.3, don't you?
GiteaMirror commented 2025-11-02 03:44:52 -06:00
Author
Owner
Copy Link

@Morlinest commented on GitHub (Aug 31, 2017):

@davidmehren You're welcome. I think change from relative to absolute url was done in #1779 + #1820 (new function GetActAvatar was used instead of removed ActAvatar struct value)

@Morlinest commented on GitHub (Aug 31, 2017): @davidmehren You're welcome. I think change from relative to absolute url was done in #1779 + #1820 (new function `GetActAvatar` was used instead of removed `ActAvatar` struct value)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/question
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#1001
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?