seeking guidance to resolve mixed content error

[deepsnow]

Hello,

I'm working with a web app that uses Swagger to describe its REST API. Some users host and access the web app over http, and some do so over https.

The users who host/access the web app over https, and who attempt to use the app's Swagger page to interact with the app's REST API, are seeing errors like this one:

Mixed Content: The page at 'https://ourhost.com/swagger/ui/index#!/User/User_Get' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://ourhost.com:443/api/user'. This request has been blocked; the content must be served over HTTPS.

(I'm not yet sure how that ":443" got tacked on there...)

I've reviewed #1006 and #1382 and domaindrivendev/Swashbuckle.WebApi#296 but I'm not sure how to bring about a remedy.

I'm tempted to change SwaggerConfig.cs.pp, which currently has a line that reads

//c.Schemes(new[] { "http", "https" });

to read

c.Schemes(new[] { "http", "https" });

or to read

c.Schemes(new[] { "https", "http" });

but I'm fearful that in doing so I might break Swagger functionality for the developers who run over http.

What can I do to make our app's Swagger page function properly whether our app is hosted and accessed through http or https?

What additional information should I provide here so that you can guide me aright?

Thanks,

[webron]

@deepsnow - can you try dropping the schemes altogether? The way Swagger works is that it will use the scheme that's being used to access the swagger.json file itself. So for users who access it via http, it will default to http and those who access it via https it would default to https. That should resolve your issue.

[deepsnow]

Schemes are currently not being specified through Swashbuckle. The relevant line is commented out (per my above post).

However, when I look at my http://ourhost.com/swagger/docs/v1, I can see an entry that reads:

"schemes":["http","https"]

Does that mean the schemes are being used even though they are not being referenced in Swashbuckle's SwaggerConfig.cs.pp?

[webron]

I really have no idea how Swashcbukle works or what it does - you'd have to ask the question on its repo. If you see the schemes output even though you don't specify it, then 'something' puts it in there as Swashcbukle is the spec generator in this case.

Before going down that route, if you want, you can just save the file locally, manually remove the schemes, and host it in your app server as a static file both with http and https access. Then use both to access the file and check if that resolves your issue. If so, then you can try figuring out how to remove it from the generated spec.

[deepsnow]

Thanks for that direction! Will reply after investigating and experimenting further. (Swashbuckle "Seamlessly adds a swagger to [ASP.NET] WebApi projects".)

[nooruddin]

In swagger-ui.js,
change

else if (typeof this.scheme === 'undefined') {
      this.scheme = this.schemes[0] || location.scheme;
    }

to

else if (typeof this.scheme === 'undefined') {
      this.scheme = location.scheme || this.schemes[0];
    }

This will work 100%. Just switch those two variables.

[deepsnow]

We believe that we've fixed the issue by changing our code (the code that calls Swashbuckle) to omit the schemes setting. (Still waiting on QA to confirm, but I'm pretty sure this is done.) Thanks to everyone for commenting.

[matusvalo]

Hi all,

I want to deploy Swagger but I am facing issue with mixed content since we are using HTTPS. Do you have any plan of the release date of Swagger UI with the fix incorporated? Thank you.