百度网盘读取文件出现block:mixed-content

[izumiChan16]

Please make sure of the following things

• I have read the documentation.
  我已经阅读了文档。

• I'm sure there are no duplicate issues or discussions.
  我确定没有重复的issue或讨论。

• I'm sure it's due to AList and not something else(such as Network ,Dependencies or Operational).
  我确定是AList的问题，而不是其他原因（例如网络，依赖或操作）。

• I'm sure this issue is not fixed in the latest version.
  我确定这个问题在最新版本中没有被修复。

AList Version / AList 版本

v3.37.4

Driver used / 使用的存储驱动

百度网盘

Describe the bug / 问题描述

我在服务器上运行Alist，使用Nginx反代到443进行https访问，在访问百度网盘(Web 代理：关，网盘权限：SVIP，UA：pan.baidu.com)出现了问题

如图，相应的资源链接是http，从而导致出现block:mixed-content错误，无法读取相应文件。

Reproduction / 复现链接

无

Config / 配置

{
  "force": false,
  "site_url": "https://xxx.yyyyy.zzz",
  "cdn": "",
  "jwt_secret": "pZyMUnLMmgnqoeKJ",
  "token_expires_in": 48,
  "database": {
    "type": "sqlite3",
    "host": "",
    "port": 0,
    "user": "",
    "password": "",
    "name": "",
    "db_file": "data/data.db",
    "table_prefix": "x_",
    "ssl_mode": "",
    "dsn": ""
  },
  "meilisearch": {
    "host": "http://localhost:7700",
    "api_key": "",
    "index_prefix": ""
  },
  "scheme": {
    "address": "0.0.0.0",
    "http_port": 5244,
    "https_port": -1,
    "force_https": false,
    "cert_file": "",
    "key_file": "",
    "unix_file": "",
    "unix_file_perm": ""
  },
  "temp_dir": "data/temp",
  "bleve_dir": "data/bleve",
  "dist_dir": "",
  "log": {
    "enable": true,
    "name": "data/log/log.log",
    "max_size": 50,
    "max_backups": 30,
    "max_age": 28,
    "compress": false
  },
  "delayed_start": 0,
  "max_connections": 0,
  "tls_insecure_skip_verify": true,
  "tasks": {
    "download": {
      "workers": 5,
      "max_retry": 1,
      "task_persistant": true
    },
    "transfer": {
      "workers": 5,
      "max_retry": 2,
      "task_persistant": true
    },
    "upload": {
      "workers": 5,
      "max_retry": 0,
      "task_persistant": false
    },
    "copy": {
      "workers": 5,
      "max_retry": 2,
      "task_persistant": true
    }
  },
  "cors": {
    "allow_origins": [
      "*"
    ],
    "allow_methods": [
      "*"
    ],
    "allow_headers": [
      "*"
    ]
  },
  "s3": {
    "enable": false,
    "port": 5246,
    "ssl": false
  }

Logs / 日志

[welcome]

Thanks for opening your first issue here! Be sure to follow the issue template!

[izumiChan16]

我尝试了以下方法

在Nginx配置中

# 添加 Content Security Policy 头
 add_header Content-Security-Policy "upgrade-insecure-requests";

http被转为了https链接，但是又会引发CORS错误
我如下修改CORS设置（原本应该在if里面）

    add_header 'Access-Control-Allow-Origin' '*';
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT';
    add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization';
        # 处理 OPTIONS 请求的 CORS
        if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Max-Age' 1728000;
            add_header 'Content-Type' 'text/plain charset=UTF-8';
            add_header 'Content-Length' 0;
            return 204;

如若此作，CSP头又会失效，链接重新回到http，并且开启Web代理也会产生CORS错误（此前正常）。

[izumiChan16]

我发现这是个无法解决的问题

[pongfcnkl]

那就开web代理

[izumiChan16]

解决了 #2181
自定义头里添加

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

将Alist管理-设置-预览-iframe预览中的“pdf”改为google的预览器即可，将原来的pdf.js那行换成这个：

"Google":"https://docs.google.com/gview?url=$e_url&embedded=true"

代价是速度稍慢，修改头部可能引发的问题目前没有出现