0

I have an issue with the HTTPS header for the ExpressionEngine control panel where the JS is being disabled. It keeps generating error messages where HTTP is being loaded over HTTPS (see below):

Mixed Content: The page at 'https://domain.com/sitebox/?/cp/homepage' was loaded over HTTPS, but requested an insecure script 'http://domain.com/sitebox/?S=0&D=cp&C=javascript&M=combo_load&ui=core,widget,mouse,position,sortable,dialog,button&plugin=ee_interact.event,ee_broadcast.event,ee_notice,ee_txtarea,tablesorter,ee_toggle_all,nestable&file=react/react.min,react/react-dom.min,json2,underscore,cp/global_start,cp/form_validation,cp/sort_helper,cp/form_group,cp/modal_form,cp/confirm_remove,cp/fuzzy_filters,components/no_results,components/loading,components/filters,components/filterable,components/toggle,components/select_list,fields/select/select,fields/select/mutable_select,fields/dropdown/dropdown&v=1557994073'. This request has been blocked; the content must be served over HTTPS.
?/cp/homepage:1

Mixed Content: The page at 'https://domain.com/sitebox/?/cp/homepage' was loaded over HTTPS, but requested an insecure script 'http://domain.com/sitebox/?S=0&D=cp&C=javascript&M=combo_load&file=cp/global_end&v=1557994052'. This request has been blocked; the content must be served over HTTPS.

The base and site URLs have been updated to cater for HTTPS. Also, the SSL is being forced in the .htaccess file and the themes URL should pick up the protocol using the PHP rule below—

// Declaring site variables
$domain = $_SERVER['HTTP_HOST'];
$protocol = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https://' : 'http://';
$base_url = $protocol . $domain;

// Theme URL
$config['theme_folder_url'] =  $base_url . "/". $themes_folder;

The basic troubleshooting has been covered but not having much success.

Can anyone suggest a way around this please?

Improve this question
3
  • Have you tried just hard coding those values in your config (with the https protocol) instead of trying to detect them via PHP? Depending on your server setup, sometimes the HTTPS value isn't set at all Commented Aug 12, 2019 at 19:26
  • Hi @jrothafer thanks for the reply. I updated the $protocol variable to equal 'https://' but the same things occur. The base, site and themes URLs do match loading under to 'https://'. It's mainly the themes script that won't under 'https://'. The ExpressionEngine assets were uploaded from a local environment without having a 'https://' or SSL certificate. Would it be best to do a complete fresh EE installation or could the 'http://' URLs be updated in the database? Not sure is this a cache or configuration issue. Commented Aug 13, 2019 at 9:12
  • Did you ever find a fix for this? I'm also experiencing it and have tried setting HTTPS in a million places, to no joy Commented Apr 14, 2021 at 12:00

4 Answers 4

Reset to default
0

Your site will load those JavaScript assets from the Control Panel via the cp_url setting. Try setting that:

https://docs.expressionengine.com/latest/general/system-configuration-overrides.html#cp_url

$config['cp_url'] = 'https://domain.com/sitebox/';

That may not be the exact one, but this isn't a themes path issue, it's a CP path issue. Also check it in your CP settings, as you can set it there as well.

Improve this answer
2
  • Thanks for the suggestion. I've updated the $config['cp_url'] to the admin link and both the variable and CP setting link match. However, the JS are still generating the mixed content errors for the JS scripts. I tried locating the JS raw files to see if the http:// references can be updated externally but it looks that all the assets are compressed. Is there a file location where all the control panel JS assets can be edited? Commented Aug 13, 2019 at 15:26
  • A controller generates that output, finding the raw files won't help. I'm not sure where something is set wrong, but this is really just a setting issue somewhere. Double check your Control Panel settings, and go over the system configuration variables, and triple check everything is set to https. And clear your browser cache. Commented Aug 13, 2019 at 16:07
0

I've had issues with loading js resources on every single EE project I've worked on (5 at this point) and every time I've had to contact the server host and have them whitelist an action in mod_security. Check your network headers and see if you're getting any 500 status errors.

Improve this answer
0

It is important to add this line to .htaccess:

RewriteCond %{REQUEST_URI} !/sitebox/.* [NC]

So it should look like:

<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteBase /

        # Removes index.php from ExpressionEngine URLs
        RewriteCond %{THE_REQUEST} ^GET.*index\.php [NC]
        RewriteCond %{REQUEST_URI} !/system/.* [NC]
        RewriteCond %{REQUEST_URI} !/sitebox/.* [NC]
        RewriteRule (.*?)index\.php/*(.*) /$1$2 [R=301,NE,L]

        # Directs all EE web requests through the site index file
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule ^(.*)$ /index.php/$1 [L]
</IfModule>
Improve this answer
0

Try using the .env setup (https://docs.expressionengine.com/latest/advanced-usage/env-support.html#example) to set the paths and base url and in the CP use {base_url} to set paths. I've not every liked relying on $_SERVER variables to pick up https. And in the newer Chrome browser versions connections are automatically upgraded to HTTPS (and I've seen that cause this issue since the page requested is automatically upgraded but the link references obviously are not).

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.