FIX: Mixed Content Errors while serving ODOO POSBOX over HTTPS

In this article, we`ll check different approaches to fix the mixed content errors we received in ODOO, served over HTTPS, while connecting with POSBOX. But before starting we need to know some basic terms related to it, lets begin:

What is HTTPS ? What are the benefits of using HTTPS over HTTP ?

When we visit a web page using HTTP protocol, your connection to the website is not secured. Hackers can easily do eavesdropping here, and can stole your data which webpage and your server communicates.

That’s why we have HTTPS protocol, The ‘S’ at the end of HTTPS stands for ‘Secure‘. It means all communications between your browser and the website are encrypted. This keeps your information safe from hackers. HTTPS is extremely important if we are using any payment gateways or other password related things in your websites.

What is “mixed content”?

Mixed content error occurs when we try to access a web page which is on HTTPs but the web page’s source code is also pulling some other resources with the insecure HTTP protocol. In this scenario, browsers display a warning/error message saying that the page has both HTTPS and HTTP content, i.e MIXED CONTENT.

Odoo POSBOX blocked by “Mixed Content” Security Policy

After migrating ODOO from http to https, posbox stopped working we have this mixed content problem which prevents loading http resources from a page served in https. In other words if your point of sale is served over https, browser will block the http connection to the posbox. Error message which we are receiving in browser is something like :

Mixed Content: The page at‘ was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint‘. This request has been blocked; the content must be served over HTTPS. send @ web.assets_common.js:954

There are several approaches to fix this issue, which i `ll explain in this article:

Approach 1: Deactivate mixed content security in your browser. [ Works only with Firefox, No workaround found for Chrome/Safari till date ]

To disable mixed content warnings in Firefox open Firefox, enter about:config into address bar and hit Enter. Using the search box, search for a setting called security.mixed_content.block_active_content. Once you have found it, set it to false.
Unfortunately we can`t disable this security in case of Chrome or Safari, we have to use some other approaches in order to fix this issue.

Approach 2: Serve the point of sale over http. [ Have to compromise with loading some of ODOO data in plain HTTP ]

We can serve our point of sale in plain HTTP, and rest of our ODOO as HTTPS by configuring nginx to only serve the point of sale route /pos/web in HTTP.

Check sample nginx configuration file having this setup, LINK

Approach 3: Migrate POSBOX as well, in HTTPS. [ Best Approach Found till date ]

Install & configure nginx in posbox also, and append https:// with the IP address while configuring in your Point of Sale.

I have created a image having nginx properly installed and configured in it, if someone looking for the same, can use it. what you need to do is :

  • Download Image
  • Extract it, and burn it in the memory card, same way as you did for original posbox image.
  • Run your posbox, if you hit your posbox ip address in browser as : https://<posbox-ip-address> , you`ll see your POSBOX default homepage.
  • Put this https://<posbox-ip-address>, in your Point-Of-Sale configuration as: 
    That`s it…

Thanks for reading this blog !!! I hope it will help someone.

Your opinions, comments and suggestions are important to keep this extension updated and more usefull !!!

. . .

Comments (4)

Add Your Comment

  • ER

    thank you for your work. This helped me out a lot. Maybe to implement letsencrypt to avoid certification error and consider updating v16 image also up front?


    • Webkul Support
      Thanks for appreciating our efforts, yes we are looking for enabling letsencrypt and other solution to avoid paid certificates on POSBOX
  • ER

    can you point out how to do Option 2?


    • Mohit Chandra
      Hi @egonraamat:disqus ,
      Approach 2: In case you are using the Point of Sale module in combination with a POSBox, you must disable the HTTPS configuration for the route /pos/web to avoid mixed-content errors, by modifying nginx configuration file, as:


      # Redirect POS to http
      location ~ ^/pos/web {
      rewrite ^(.*) http://$host:8069$1 permanent;

      and restart nginx

      You can also check sample nginx configuration file having this setup from this link :


  • css.php