As discussed in #746264: Ajax error message on secure pages, when one is using HTTPS on their website, Ajax error messages are returned. For example, after enabling the Secure Pages module, I went to create a view. When I tired to add a Filter to my new view, I received the following error message:

An error occurred at http://www.my-domain.com/admin/build/views/ajax/add-item/my-view/default....

More precisely, the error occurs when I have Secure Pages enabled and on a https connection in /admin. I create a filter in my view, make my selection of which type of filter to add, and then click "add." Upon investigation with Firebug, without making any changes to the default settings of Secure Pages, when I click "add" I get a 404 status for the "Options Filter" located at "http://www.my-domain.com/admin/build/views/ajax/add-item/my-view/default..." when the URL should be coming from "https://...".

When I modify the Secure Pages module away from its default settings, and take out the directive to ignore "*/ajax/*", and try again, a 302 redirect is returned, as show by Firebug. Yet this is still enough to break the ajax request, as I get the same error message.

I received similar messages when I tried to add a Field.

The solution for me was in comment #11 in the issue linked to above, with 1 minor modification (adding 'www.' before 'mysite.com'):

$base_url = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']=='on') ? 'https://' : 'http://') . 'www.mysite.com';

However, as Fox rightly pointed out on IRC, putting the fix into $base_url is not a viable option for the public at large.

CommentFileSizeAuthor
#17 securepages-863562.patch723 bytesd.clarke
#15 securepages-863562.patch561 byteshadsie
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Damien Tournoud’s picture

Damien Tournoud CreditAttribution: Damien Tournoud commented
Project: Drupal core » Secure Pages
Version: 6.17 » 6.x-1.x-dev
Component: ajax system » Code

This really doesn't feel like a core bug at all. If secure pages messes-up with the URLs, it should also mess up with $base_url.

DavidWhite’s picture

DavidWhite CreditAttribution: DavidWhite commented
Project: Secure Pages » Drupal core
Version: 6.x-1.x-dev » 6.17
Component: Code » ajax system

I disagree, due to the comments made by merlinofchaos in the issue that I linked to in my original post (see comments #6 and #8). In addition, please see comment #3 in #566650: Views & Popup AJAX Do Not Work with SecurePages. I did my homework before submitting this; however, I suppose I could still be wrong.

But in both issues that I have linked to now, there are comments specifically mentioning that the problem remains when Secure Pages is turned off (but the site is using https by some other means). Note also that I am now using the $base_url fix on my current site, and secure pages is working with views as it should.

Damien Tournoud’s picture

Damien Tournoud CreditAttribution: Damien Tournoud commented

If you set $base_url in your settings.php, Drupal will respect that (including the protocol). Secure Page could override $base_url if it wants to.

But as far as Drupal is concerned, there is nothing wrong with this behavior.

Heine’s picture

Heine CreditAttribution: Heine commented

conf_init should use the correct URL scheme when a request goes over https and $base_url is NOT explicitly set in settings.php. If not, there's a bug in conf_init.

Can you confirm the problem occurs on an install that does NOT have $base_url set in settings.php?

rfay’s picture

rfay
Primary language English
Location Palisade, CO, USA
CreditAttribution: rfay commented

The fundamental issue is that the AHAH/AJAX callback must exist.

If you're on https://example.com/somepage, which has an AHAH feature, it's going to look for /somecallback (which has been set up with #ahah). If that callback doesn't exist, you get a 404. Well, if securepages is converting "somepage" to https, but not handling "somecallback", then you have a 404.

I think the bottom line is if you're using securepages and AHAH, you basically need to either:

1. Convert the whole site to https

or

2. Convert all AJAX pages and all AJAX callbacks to https

or

3. Convert all AJAX pages and all AJAX callbacks to not be https.

I don't actually see this as a bug in anything, but an unintended consequence of the way Securepages changes only some URLs on a site to a different scheme.

Note that just adding/excluding "*/ajax/*" is in no way adequate, as there is no way to know that all #ahah['path'] have "/ajax/" in them - #ahah['path'] is free form.

In Drupal 7, nearly all AJAX forms go through /system/ajax, so you have higher chance of success there. But you still have a problem: SecurePages won't let you map a class of URLs as "always the same as the calling page" or something like that.

Damien Tournoud’s picture

Damien Tournoud CreditAttribution: Damien Tournoud commented
Project: Drupal core » Secure Pages
Version: 6.17 » 6.x-1.x-dev
Component: ajax system » Code

Well. Anyway, except if we have more information proving otherwise, this is a Secure Pages issue.

EvanDonovan’s picture

EvanDonovan CreditAttribution: EvanDonovan commented

rfay's description makes sense to me. We experienced this issue on our site with Ubercart. I don't think it is Drupal core's responsibility to solve this. Rather, the user of SecurePages must take care to either explicitly exclude or include all AJAX paths from https.

Still, this should be documented, and a list of the most common (Views, Panels, Ubercart, etc.) should be created, if it doesn't exist already.

EvanDonovan’s picture

EvanDonovan CreditAttribution: EvanDonovan commented

Personally, I find that this issue makes it too difficult to use Secure Pages for the entire /admin section, since there are too many paths to worry about. So I restrict its use to the Ubercart store specifically. However, this definitely limits the module's usefulness.

DavidWhite’s picture

DavidWhite CreditAttribution: DavidWhite commented

After #3, Damien and I talked briefly on IRC, and I agreed and better understand the situation. Sorry that I haven't been able to respond to this again until now. I think my issue was that $base_url was specifically set. I am curious (and will try to test soon) as to how Secure Pages works when $base_url is not set. I agree (now) that this is not a core issue. However, I don't think that the issue is specifically related to Secure Pages, but to all implementations of HTTPS when $base_url is set - and this, I agree with EvanDonovan, needs to be better documented.

I'll try to do some testing soon and get back to you guys. Thanks for the comments and for your patience!

- David

Jonah Ellison’s picture

Jonah Ellison CreditAttribution: Jonah Ellison commented
Title: url() returns bad ajax request on https connection » Change $base_url to https:// if explicitly set to http:// by settings.php

Note that when $base_url is not set, Drupal core will automatically set it to https:// if on HTTPS. See bootstrap.inc's conf_init.

Secure Pages should mimic this behavior, even if the user has set the $base_url as "http://www.example.com" in their settings.php file. There are lot people opening issues that are related to $base_url set to http, and and this module can resolve it rather simply. Let's make this module work out-of-the-box!

I propose that Secure Pages checks if the user has http:// in the $base_url, then change it if on SSL. This will resolve all these issues about Ajax errors, etc.

Here is one solution. Add this on the very top of securepages.module:

// Change base_url to HTTPS ($base_url may be explicitly set by settings.php)
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
  global $base_url;
  $base_url = str_replace('http://', 'https://', $base_url);
}
EvanDonovan’s picture

EvanDonovan CreditAttribution: EvanDonovan commented

That seems like a good solution. Thanks, Jonah.

EvanDonovan’s picture

EvanDonovan CreditAttribution: EvanDonovan commented

@Jonah: Could you re-roll this as a patch, and thus I could test and mark RTBC?

visualnotion’s picture

visualnotion CreditAttribution: visualnotion commented

Jonah's code in comment #10 above worked great for me and was quick and easy to get things fixed. (Thanks so much, Jonah!)

Has this been rolled into Dev or can it be soon?

EvanDonovan’s picture

EvanDonovan CreditAttribution: EvanDonovan commented

Probably it would need to be made into a patch before the maintainer would be willing to commit. Sorry I don't have time atm.

hadsie’s picture

hadsie CreditAttribution: hadsie commented
Status: Active » Needs review
FileSize
securepages-863562.patch561 bytes

#10 seems to be working for me. here's a patch for it.

WiredEscape’s picture

WiredEscape CreditAttribution: WiredEscape commented

D6.19
Securepages v6x-1.8

Confirming that #10 solves ajax errors.

Thanks for solution to very annoying problem!

d.clarke’s picture

d.clarke CreditAttribution: d.clarke commented
FileSize
securepages-863562.patch723 bytes

Here is an updated version of the patch from #15. I moved it into hook_boot and changed the if statement to leverage the securepages_is_secure() function.

dbassendine’s picture

dbassendine CreditAttribution: dbassendine commented

We also need to set $base_root correctly so pages are cached under their correct addresses in the cache table. This has caused weirdness when caching is enabled and $base_url is set - see my comment at http://drupal.org/node/587000#comment-4224126.

My patch there (http://drupal.org/node/587000#comment-4224320) takes a similar approach to #15 here, except it updates the URL using the existing securepages_baseurl function - allowing the $base_url to reflect the custom paths setting provided in the admin interface (as well as less code duplication).

I'll post an updated version of the patch (including $base_url and $base_root) shortly.

Thanks, David

ThirstySix’s picture

ThirstySix CreditAttribution: ThirstySix as a volunteer and commented
Status: Needs review » Closed (outdated)