I ended up adding a Content-Security-Policy: upgrade-insecure-requests response header which forced the content to be loaded via https, which seems to have done the trick.  Ideally, it would be great if Epi were to use the url from the web config from the cms, or else have a setting that allows you to change all the links to be https instead of http (perhaps I am missing that setting).

I've had a similar problem, but its actually on the Promotions section of Commerce Manager.  Whenever you use any fields to add SKU/Products that causes an ajax callback, it fails.  Initially it is the issue you mentioned above where I've added the HttpProtocol CustomHeader....  but then when that is in place you get a 302 redirect to the login page which fails ultimately.

I don't suppose you came across this did you later?  As i've been a bit stumped on this one now, tried all kinds of re-write rules.

Unfortunately, I am not using Promotions in my code, so I haven't come across this issue.

Ah ok - i'll keep on looking.  Thanks for the quick response

Commerce Manager does not work over HTTPS if the encryption is terminated at the load-balancer.

The views use CommerceHelper.GetAbsolutePath(string)

This little ****** uses the HttpContext.Current.Request.Url as a base for the absolute URL.

So, if the request is decrypted on the load-balancer, then the Site receives request using HTTP scheme, and thus will create absolute URL using HTTP.

Hi,

We are working on this issue, it will be fixed in upcoming releases.

Regards,

/Q

We have a fix for this in the upcoming release 10.6.0. If you want to test for the fix, contact us directly and we can send you a pre-release build.

Thanks & regards,

/Q

Commerce 10.6.0 was released yetserday.

Steven Carter: In which file did you add the Content-Security-Policy: upgrade-insecure-requests response header?