check if client-presented URL scheme is different from one configured in SELF_URL_PATH

classes/errors.php

@@ -5,8 +5,9 @@ class Errors {
 	const E_UNKNOWN_METHOD = "E_UNKNOWN_METHOD";
 	const E_UNKNOWN_PLUGIN = "E_UNKNOWN_PLUGIN";
 	const E_SCHEMA_MISMATCH = "E_SCHEMA_MISMATCH";
+	const E_URL_SCHEME_MISMATCH = "E_URL_SCHEME_MISMATCH";
 
-	static function to_json(string $code) {
+	static function to_json(string $code, array $params = []) {
-		return json_encode(["error" => ["code" => $code]]);
+		return json_encode(["error" => ["code" => $code, "params" => $params]]);
 	}
 }

classes/rpc.php

@@ -168,10 +168,21 @@ class RPC extends Handler_Protected {
 		$_SESSION["hasSandbox"] = clean($_REQUEST["hasSandbox"]) === "true";
 		$_SESSION["clientTzOffset"] = clean($_REQUEST["clientTzOffset"]);
 
+		$client_location = $_REQUEST["clientLocation"];
+
 		$error = Errors::E_SUCCESS;
+		$error_params = [];
+
+		$client_scheme = parse_url($client_location, PHP_URL_SCHEME);
+		$server_scheme = parse_url(get_self_url_prefix(), PHP_URL_SCHEME);
 
 		if (get_schema_version() != SCHEMA_VERSION) {
 			$error = Errors::E_SCHEMA_MISMATCH;
+		} else if ($client_scheme != $server_scheme) {
+			$error = Errors::E_URL_SCHEME_MISMATCH;
+			$error_params["client_scheme"] = $client_scheme;
+			$error_params["server_scheme"] = $server_scheme;
+			$error_params["self_url_path"] = get_self_url_prefix();
 		}
 
 		if ($error == Errors::E_SUCCESS) {
@@ -183,7 +194,7 @@ class RPC extends Handler_Protected {
 
 			print json_encode($reply);
 		} else {
-			print Errors::to_json($error);
+			print Errors::to_json($error, $error_params);
 		}
 	}
 

js/App.js

@@ -418,7 +418,7 @@ const App = {
 
          if (error && error.code && error.code != App.Error.E_SUCCESS) {
             console.warn("handleRpcJson: fatal error", error);
-            this.Error.fatal(error.code);
+            this.Error.fatal(error.code, error.params);
             return false;
          }
 
@@ -547,6 +547,7 @@ const App = {
       E_SUCCESS: "E_SUCCESS",
       E_UNAUTHORIZED: "E_UNAUTHORIZED",
       E_SCHEMA_MISMATCH: "E_SCHEMA_MISMATCH",
+      E_URL_SCHEME_MISMATCH: "E_URL_SCHEME_MISMATCH",
 		fatal: function (error, params = {}) {
          if (error == App.Error.E_UNAUTHORIZED) {
             window.location.href = "index.php";
@@ -554,9 +555,14 @@ const App = {
          } else if (error == App.Error.E_SCHEMA_MISMATCH) {
             window.location.href = "public.php?op=dbupdate";
             return;
+         } else if (error == App.Error.E_URL_SCHEME_MISMATCH) {
+            params.description = __("URL scheme reported by your browser (%a) doesn't match server-configured SELF_URL_PATH (%b), check X-Forwarded-Proto.")
+               .replace("%a", params.client_scheme)
+               .replace("%b", params.server_scheme);
+            params.info = `SELF_URL_PATH: ${params.self_url_path}\nCLIENT_LOCATION: ${document.location.href}`
          }
 
-			return this.report(__("Fatal error: %s").replace("%s", error),
+			return this.report(error,
 				{...{title: __("Fatal error")}, ...params});
 		},
 		report: function(error, params = {}) {
@@ -587,10 +593,13 @@ const App = {
                <div class='exception-contents'>
                   <h3>${message}</h3>
 
-                  <header>${__('Stack trace')}</header>
+                  ${params.description ? `<p>${params.description}</p>` : ''}
+
+                  ${error.stack ?
+                  `<header>${__('Stack trace')}</header>
                   <section>
                      <textarea readonly='readonly'>${error.stack}</textarea>
-                  </section>
+                  </section>` : ''}
 
                   ${params && params.info ?
                      `
@@ -650,7 +659,8 @@ const App = {
             op: "rpc",
             method: "sanityCheck",
             clientTzOffset: new Date().getTimezoneOffset() * 60,
-            hasSandbox: "sandbox" in document.createElement("iframe")
+            hasSandbox: "sandbox" in document.createElement("iframe"),
+            clientLocation: window.location.href
          };
 
          xhr.json("backend.php", params, (reply) => {