3

I am running Odoo and would like to add some caching mechanism.

In order to do so, I simply added a service worker and the following rout:

workbox.routing.registerNavigationRoute( '/web/', workbox.strategies.staleWhileRevalidate(),

);

Unfortunately i now always receive the following error message: "Mixed Content: The page at 'https://test.emanju.de/sw.js' was loaded over HTTPS, but requested an insecure resource 'http://test.emanju.de/web/login'. This request has been blocked; the content must be served over HTTPS."

Obviously Odoo references to some insecure sources. Now I have the following questions: 1) How am I able to identify these sources (all of them)? Can I somehow scan the whole page? 2) Can I some how still run my service worker and just ignore the insecure files? Is the a way to still follow my goal without adjusting the existing application code and fixing all insecure files?

Thanks in advance!

Jeff Posnick
  • 53,580
  • 14
  • 141
  • 167
user3122136
  • 161
  • 4
  • 15

2 Answers2

3

I had a similar problem: Loading PDF presentation in the eLearning module ("slides") would request the resource over http rather than https. What worked in my case:

  • adding proxy_mode = True into the [options] section of odoo.conf (if you deployed using docker, put odoo.conf into /etc/odoo/odoo.conf, which in their docker-compose.yml example is a shared folder (./config:/etc/odoo)
  • nginx config I'm using (I was missing the X-Forwarded-Host header):
location / {
proxy_pass http://localhost:8069;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_redirect off;
proxy_request_buffering off;
proxy_connect_timeout  36000s;
proxy_read_timeout  36000s;
proxy_send_timeout  36000s;
send_timeout  36000s;
client_max_body_size 10240m;
}
  • when in developer mode, go to Settings -> Technical -> System Parameters, and make sure your web.base.url contains https:// (some people also add web.base.url.freeze set to True -- this doesn't seem to have an effect on my installation)

Restart nginx, restart odoo, and voila, PDFs in Slides are being requested over https://.

Lukas Helebrandt
  • 71
  • 4
0

(This is not specific to Workbox, as insecure, mixed content is an issue whenever you're using https://.)

There's some advice in this "Preventing Mixed Content" article about how to identify a full list of insecure resources that are being loaded.

As mentioned in that article, assuming that https:// versions of each of the URLs being loaded exist, you can use the Content-Security-Policy: upgrade-insecure-requests response header when serving your HTML to tell the browser to automatically swap-in https:// URLs.

Service workers require secure origins, and secure origins can't load resources via http://.

Jeff Posnick
  • 53,580
  • 14
  • 141
  • 167