Dear community,
While testing a new application we are currently developing we have found out that all play.dhis2.org instances send invalid response headers on url redirects.
For instance, visiting https://play.dhis2.org/2.34.1/dhis-web-cache-cleaner/index.action should redirect to https://play.dhis2.org/2.34.1/dhis-web-cache-cleaner/index.html but instead it redirects to http://play.dhis2.org/2.34.1/dhis-web-cache-cleaner/index.html.
If you notice the redirect header is wrongly mixing the HTTPS → HTTP redirect. This is normally not an issue because the browser visits the HTTP page and nginx produces a new HTTP → HTTPS redirect.
However if DHIS2 is served inside an iframe, due to the enhanced security policies of iframes, the browser detects this redirect inside the document and blocks it as mixed content.
In our instances we have identified this same problem in the past and resolved it by updating the catalina connector found in the server.xml file.
<Connector
port="8080"
protocol="HTTP/1.1"
proxyPort="443"
scheme="https"
secure="true"
proxyName="play.dhis2.org"
connectionTimeout="20000"
URIEncoding="UTF-8"
relaxedQueryChars='\ { } | [ ]'
redirectPort="8443"
/>
To make sure all applications work correctly on play instances we would like to raise awareness of this issue to @dhis2-backend and @dhis2-platform to see if it can be resolved.
Also it might be helpful for others to provide a notice on the related parts of the implementer guide docs as this issue might be also affecting other organizations deploying DHIS2 instances to HTTPS.
Even though right now this only affects to DHIS2 being served over an iframe, it is likely that in future browser updates the policies regarding mixed content are tightened so fixing this problem might avoid future problems.
Thanks!