debug bar loaded over http - blocked

I'm not sure where to start looking, so hopefully someone else has run across this already.
Last night I copied everything from my Windows local machine to my CentOS 7 server, and getting an odd issue in development mode.  The debug bar won't load, and the error message in my browser says:

Code:

Mixed Content: The page at 'https://mysite.com/ci4test/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://mysite.com/ci4test/?debugbar_time=1624914457'. This request has been blocked; the content must be served over HTTPS.

Is there some setting that's different for the debug bar than baseURL?

.env file setting:
app.baseURL = 'https://mysite.com/ci4test/'

/app/Config/App.php:
public $baseURL = 'https://mysite.com/ci4test/';

What else is there?

I'm on CodeIgniter version 4.1.3

I had a similar problem, and found that my whole JavaScript-driven site became 100% non-responsive when I tried to enable the Toolbar in my recent upgrade from v4.0.x to v4.1.3 (I don't usually use the Toolbar, so just disabled it again, poured another glass of wine and carried on with more meaningful things... like drinking the glass of wine).

Having read your question, it sounded similar to my problem (vaguely... if one has had a few glasses of wine, perhaps more so than it would otherwise)... so I re-enable the Toolbar to have a look at the errors being reported.

It comes down the Content Security Policy and I found that, in my case, removing the nonce restriction: {csp-script-nonce} x3 in the code in system/debug/Toolbar.php permitted my site to work as it was pre-v4.1.3:

Code:

$script = PHP_EOL
                    . '<script type="text/javascript" {csp-script-nonce} id="debugbar_loader" '
                    . 'data-time="' . $time . '" '
                    . 'src="' . site_url() . '?debugbar"></script>'
                    . '<script type="text/javascript" {csp-script-nonce} id="debugbar_dynamic_script"></script>'
                    . '<style type="text/css" {csp-style-nonce} id="debugbar_dynamic_style"></style>'
                    . $kintScript
                    . PHP_EOL;

becomes:

Code:

$script = PHP_EOL
                    . '<script type="text/javascript" id="debugbar_loader" '
                    . 'data-time="' . $time . '" '
                    . 'src="' . site_url() . '?debugbar"></script>'
                    . '<script type="text/javascript" id="debugbar_dynamic_script"></script>'
                    . '<style type="text/css" id="debugbar_dynamic_style"></style>'
                    . $kintScript
                    . PHP_EOL;

I'm not sure exactly why there's a restrictive CSP on the Toolbar (given that it gets disabled when ENVIRONMENT='production')... but then I don't understand a lot of things... like this insane desire for gene-therapy as of late.

If this doesn't work for you, then I suspect you'll probably need to play with the security policy settings in /app/Config/ContentSecurityPolicy.php for the parts of the CSP that are relevant to your site (to 'loosen' it up wherever it's blocking).

Hey Gary, thanks for your response and details.... unfortunately it didn't work, possibly more wine needed 

I also tried installing a fresh Composer -> appstarter and enabling the debug bar, but again - no luck.  I'll play with the CSP rules a bit, but I'm not altogether convinced it's not some weird issue with my CloudFlare implementation.

Hey Gary, thanks for your response and details.... unfortunately it didn't work, possibly more wine needed 

I also tried installing a fresh Composer -> appstarter and enabling the debug bar, but again - no luck.  I'll play with the CSP rules a bit, but I'm not altogether convinced it's not some weird issue with my CloudFlare implementation.

For interest, you could try changing:

  

Code:

. 'src="' . site_url() . '?debugbar"></script>'

to:
  

Code:

. 'src="https://mysite.com/ci4test/?debugbar"></script>'

in the same bit of code, to establish if it's a Toolbar problem or something to do with CloudFlare (?)

Hey Gary, thanks for your response and details.... unfortunately it didn't work, possibly more wine needed 

I also tried installing a fresh Composer -> appstarter and enabling the debug bar, but again - no luck.  I'll play with the CSP rules a bit, but I'm not altogether convinced it's not some weird issue with my CloudFlare implementation.

For interest, you could try changing:

  

Code:

. 'src="' . site_url() . '?debugbar"></script>'

to:
  

Code:

. 'src="https://mysite.com/ci4test/?debugbar"></script>'

in the same bit of code, to establish if it's a Toolbar problem or something to do with CloudFlare (?)

Thank you. It works!

@Gary Issue resolved. I'm still not 100% sure what was wrong, but I disabled/enabled Brotli, Rocket Loader, and DNS proxy.... now it works, and I can't replicate the issue again by setting those back.  Maybe just a weird glitch in the Matrix  

@Gary Issue resolved. I'm still not 100% sure what was wrong, but I disabled/enabled Brotli, Rocket Loader, and DNS proxy.... now it works, and I can't replicate the issue again by setting those back.  Maybe just a weird glitch in the Matrix  

All's well that ends well.

Buckle up!... if you've had your red pill, you'll find there's regular glitches in the Matrix from here on out...