From d712389ae3e8351c1416aa81d4b85586cf98f002 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Sun, 5 Oct 2014 22:56:55 +0100
Subject: Avoid mixed content when cgiurl is https but url is not

---
 IkiWiki.pm | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

(limited to 'IkiWiki.pm')

diff --git a/IkiWiki.pm b/IkiWiki.pm
index c1518a2ae..38b91ae1d 100644
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -613,7 +613,26 @@ sub checkconfig () {
 
 			$local_cgiurl = $cgiurl->path;
 
-			if ($cgiurl->scheme ne $baseurl->scheme) {
+			if ($cgiurl->scheme eq 'https' &&
+				$baseurl->scheme eq 'http') {
+				# We assume that the same content is available
+				# over both http and https, because if it
+				# wasn't, accessing the static content
+				# from the CGI would be mixed-content,
+				# which would be a security flaw.
+
+				if ($cgiurl->authority ne $baseurl->authority) {
+					# use protocol-relative URL for
+					# static content
+					$local_url = "$config{url}/";
+					$local_url =~ s{^http://}{//};
+				}
+				# else use host-relative URL for static content
+
+				# either way, CGI needs to be absolute
+				$local_cgiurl = $config{cgiurl};
+			}
+			elsif ($cgiurl->scheme ne $baseurl->scheme) {
 				# too far apart, fall back to absolute URLs
 				$local_url = "$config{url}/";
 				$local_cgiurl = $config{cgiurl};
@@ -626,6 +645,7 @@ sub checkconfig () {
 				$local_cgiurl = $config{cgiurl};
 				$local_cgiurl =~ s{^https?://}{//};
 			}
+			# else keep host-relative URLs
 		}
 
 		$local_url =~ s{//$}{/};
-- 
cgit v1.2.3