If I understand correctly, some browsers (hello IE!) throw up warnings when patrons enter "My Account" in the OPAC because there are some hard-coded HTTP requests mixed in with the HTTPS session. When patrons opt to not allow the browser to load mixed content, hilarity (or some miserable facsimile thereof) ensues. This is bad. Apaprently things are even worse in IE8.
It looks like the mixed content is due to Open-ILS/var/web/opac/skin/default/xml/setenv.xml: setenv.xml:<!--#set var="OILS_BASE" value="http://${SERVER_NAME}/${OILS_OPAC_BASE}"--> setenv.xml: <!--#set var="OILS_OPAC_JS_HOST" value="http://${OILS_OPAC_JS_HOST}"--> setenv.xml: <!--#set var="OILS_OPAC_CSS_HOST" value="http://${OILS_OPAC_CSS_HOST}"--> Setting these to the following alleviates the problem: setenv.xml:<!--#set var="OILS_BASE" value="${OILS_OPAC_BASE}"--> setenv.xml: <!--#set var="OILS_OPAC_JS_HOST" value=""--> setenv.xml: <!--#set var="OILS_OPAC_CSS_HOST" value=""--> The win from having a non-scary default configuration seems to, in my mind, outweigh the possible balancing of JS and CSS across different hosts. Would there be any objection to my merging a commit that resets each offending var to a non-scary default value, along with a comment that explains what in the wide world of sports is going on? -- Dan Scott Laurentian University