Unable to force Mini Profiler scripts to use HTTPS due to base tag with HTTP.

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Create a HTML base tag that points to the unsecure root version of your site 
- http://www.example.com
2. Add MvcMiniProfiler.
3. Visit the HTTPS version of the page.

What is the expected output? What do you see instead?
I would hope that I can manually override either the protocol or tell 
MiniProfiler to use https:// rather than simply '/', which will point to the 
unsecure site.

What version of the product are you using? On what operating system?
Latest Nuget package. Windows 7 Enterprise x64.

Please provide any additional information below.

I'm happy to attach a reduction in HTML if required.

Thanks, Dan Atkinson

Original issue reported on code.google.com by d...@dan-atkinson.com on 21 Jul 2011 at 9:33

[GoogleCodeExporter]

I'm confused a bit here...all of our URLs rendered are relative, like any other 
resource on the page can be.  If you're on a secure site, why is the <base> tag 
pointing to the insecure version (which throws a browser warning by default)?

I'm not completely against adding a absolute/relative switch here, but I don't 
see this use case happening often at all (e.g. I've never seen/heard of it 
before this issue).

Original comment by nrcraver on 22 Jul 2011 at 10:33

[GoogleCodeExporter]

It's a reasonable question.

The reason it's done this way is that we would like all users in our site to be 
on the unsecure one while they're navigating through it, and only access the 
secure part when they go to log in or make bookings. Therefore, all the links 
on the secure pages need to have http://, which is why we use the base tag to 
provide this functionality.

Thanks, Dan

Original comment by d...@dan-atkinson.com on 22 Jul 2011 at 12:13

[GoogleCodeExporter]

I suppose the simplest fix would be to be able to force the files to be loaded 
on the HTTPS protocol. That way, it won't really matter if you're on HTTP or 
HTTPS.

Thanks, Dan

Original comment by d...@dan-atkinson.com on 22 Jul 2011 at 3:34

[GoogleCodeExporter]

We can't really do that, as that assumes *every* site runs on HTTPS, and has a 
valid certificate...both of which usually aren't the case.

I'm afraid it's unlikely we will support this very odd scenario...the relative 
URL should work for 99.9% of use cases, and this particular use case is very, 
very odd.

Original comment by nrcraver on 27 Jul 2011 at 1:30

• Changed state: WontFix

[GoogleCodeExporter]

Nick, I didn't mean force every user to have HTTPS scripts on by default, but 
to have a setting that *allows* this.

Thanks, Dan

Original comment by d...@dan-atkinson.com on 27 Jul 2011 at 1:47