Contrib.social

Mixed Content: The site at 'https://mysite.com' was loaded over a secure connection) File export URLs served over HTTP in Views Data Export causes mixed content issue

Open on Drupal.org →
Created on 27 January 2025, 8 months ago

Problem/Motivation

When exporting files using the Views Data Export module, the file download URL is being served over HTTP instead of HTTPS, even when the site is loaded over HTTPS. This causes browsers to block the file download due to mixed content issues.

Steps to reproduce

  • Set up a Drupal site with the Views Data Export module enabled.
  • Create a View with a "Data Export" display.
  • Access the View over HTTPS and export the file.
  • Check the file download URL in the browser's developer console.
  • Expected Behavior
  • The file download URL should use HTTPS when the site is loaded over HTTPS.

Actual Behavior

The file download URL uses HTTP, causing mixed content errors and blocking the file download.

Relevant Browser Error

Mixed Content: The site at 'https://qoa-dev.applab.qa/' was loaded over a secure connection, but the file at 'https://qoa-dev.applab.qa/system/files/views_data_export/diploma_applicaions_data_export_2/1-1737959520/Diploma-Applications-2025-01-27T06%3A32%3A00%2B0000.xlsx' was redirected through an insecure connection. This file should be served over HTTPS.

Environment

  • Drupal Core: (e.g., 10.x or 9.x)
  • Module Version: (e.g., 8.x-1.0)
  • PHP Version: (e.g., 8.1.x)
  • Browser: (e.g., Chrome 115, Firefox 116)

Proposed Solution

The issue can be fixed by ensuring that file URLs generated by the module respect the site's HTTPS configuration.

Code Changes

In the module's file handling logic, replace:

$url = \Drupal::service('file_url_generator')->generateAbsoluteString($results['vde_file']);

With:

$url = \Drupal::service('file_url_generator')->generateAbsoluteString($results['vde_file']);
$url = str_replace('http://', 'https://', $url);

This ensures the file URL always uses HTTPS.

Patch

A patch is attached to resolve this issue.

🐛 Bug report
Status

Needs review

Version

2.0

Component

Code

Created by

🇵🇰Pakistan mansoor aziz

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @mansoor aziz
  • Comment 8 months ago
    🇵🇰Pakistan mansoor aziz

    A patch is attached to resolve this issue.

  • Comment 8 months ago
    🇬🇧United Kingdom steven jones

    Thanks for the bug report. Please search the issue queue before filling new issues. This issue is a duplicate of Add option to force https on redirect url Active

  • Status changed to Closed: duplicate 2 months ago
  • Comment 2 months ago
    🇬🇧United Kingdom colinstillwell

    I've encountered this issue on 8.x-1.6, particularly when using the S3FS module in an HTTPS environment.

    The problem stems from how S3FS changes the private file stream wrapper. As a result, the path is no longer relative, and generateString() returns a full URL — but with the incorrect http scheme, even when the site is served over HTTPS.

    My patch ensures the final URL uses https, resolving the mixed content issue without modifying stream wrapper behaviour.

  • Comment 2 months ago
    🇬🇧United Kingdom colinstillwell
  • Comment 2 months ago
    🇬🇧United Kingdom colinstillwell

    Further to my previous comment, I might be wrong here. I did not realise that my local was upgraded from 8.x-1.5 to 8.x-1.6 when applying the patch.

    I am going to proceed without the patch, test with 8.x-1.6 then will come back to this with my findings.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024