diff --git a/doc/todo/design_for_cross-linking_between_content_and_CGI.mdwn b/doc/todo/design_for_cross-linking_between_content_and_CGI.mdwn
index 64b3e848c..7c920f01f 100644
--- a/doc/todo/design_for_cross-linking_between_content_and_CGI.mdwn
+++ b/doc/todo/design_for_cross-linking_between_content_and_CGI.mdwn
@@ -109,3 +109,10 @@ in the setup file as http if you intend that they will most commonly
be accessed via http (e.g. the "my cert is not CA-cartel approved"
use-case), or as https if you intend to force accesses into
being via https (the "my wiki is secret" use-case).
+
+# Regression test
+
+I've added a regression test in `t/relativity.t`. We might want to
+consider dropping some of it or skipping it unless a special environment
+variable is set once this is all working, since it's a bit slow.
+--[[smcv]]
diff --git a/t/relativity.t b/t/relativity.t
new file mode 100755
index 000000000..ca1664f3c
--- /dev/null
+++ b/t/relativity.t
@@ -0,0 +1,601 @@
+#!/usr/bin/perl
+use warnings;
+use strict;
+
+use Cwd qw(getcwd);
+use Errno qw(ENOENT);
+
+BEGIN {
+ if (!eval q{
+ use IPC::Run qw(run);
+ 1;
+ }) {
+ eval q{use Test::More skip_all => "IPC::Run not available"};
+ }
+ else {
+ eval q{use Test::More};
+ }
+ use_ok("IkiWiki");
+}
+
+my $pwd = getcwd();
+
+# Black-box (ish) test for relative linking between CGI and static content
+
+my $blob;
+my ($content, $in, %bits);
+
+sub parse_cgi_content {
+ my %bits;
+ if ($content =~ qr{}) {
+ $bits{basehref} = $1;
+ }
+ if ($content =~ qr{href="([^"]+/style.css)"}) {
+ $bits{stylehref} = $1;
+ }
+ if ($content =~ qr{class="parentlinks">\s+this is the name of my wiki/}s) {
+ $bits{tophref} = $1;
+ }
+ if ($content =~ qr{]+href="([^"]+)\?do=prefs"}) {
+ $bits{cgihref} = $1;
+ }
+ return %bits;
+}
+
+ok(! system("make -s ikiwiki.out"));
+ok(! system("rm -rf t/tmp"));
+ok(! system("mkdir t/tmp"));
+
+sub write_old_file {
+ my $name = shift;
+ my $content = shift;
+
+ writefile($name, "t/tmp/in", $content);
+ ok(utime(333333333, 333333333, "t/tmp/in/$name"));
+}
+
+write_old_file("a.mdwn", "A");
+write_old_file("a/b.mdwn", "B");
+write_old_file("a/b/c.mdwn",
+"* A: [[a]]\n".
+"* B: [[b]]\n".
+"* E: [[a/d/e]]\n");
+write_old_file("a/d.mdwn", "D");
+write_old_file("a/d/e.mdwn", "E");
+
+#######################################################################
+# site 1: a perfectly ordinary ikiwiki
+
+writefile("test.setup", "t/tmp", < on static HTML
+unlike($content, qr{]+href="/cgi-bin/ikiwiki.cgi\?do=prefs"});
+# cross-links between static pages are relative
+like($content, qr{A: a});
+like($content, qr{B: b});
+like($content, qr{E: e});
+
+run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'GET';
+ $ENV{SERVER_PORT} = '80';
+ $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi';
+ $ENV{QUERY_STRING} = 'do=prefs';
+ $ENV{HTTP_HOST} = 'example.com';
+});
+%bits = parse_cgi_content($content);
+is($bits{basehref}, "http://example.com/wiki/");
+like($bits{stylehref}, qr{^(?:(?:http:)?//example.com)?/wiki/style.css$});
+like($bits{tophref}, qr{^(?:/wiki|\.)/$});
+like($bits{cgihref}, qr{^(?:(?:http:)?//example.com)?/cgi-bin/ikiwiki.cgi$});
+
+# when accessed via HTTPS, links are secure
+run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'GET';
+ $ENV{SERVER_PORT} = '443';
+ $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi';
+ $ENV{QUERY_STRING} = 'do=prefs';
+ $ENV{HTTP_HOST} = 'example.com';
+ $ENV{HTTPS} = 'on';
+});
+%bits = parse_cgi_content($content);
+is($bits{basehref}, "https://example.com/wiki/");
+like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$});
+like($bits{tophref}, qr{^(?:/wiki|\.)/$});
+like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$});
+
+# when accessed via a different hostname, links stay on that host
+run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'GET';
+ $ENV{SERVER_PORT} = '80';
+ $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi';
+ $ENV{QUERY_STRING} = 'do=prefs';
+ $ENV{HTTP_HOST} = 'staging.example.net';
+});
+%bits = parse_cgi_content($content);
+is($bits{basehref}, "http://staging.example.net/wiki/");
+like($bits{stylehref}, qr{^(?:(?:http:)?//staging.example.net)?/wiki/style.css$});
+like($bits{tophref}, qr{^(?:/wiki|\.)/$});
+like($bits{cgihref}, qr{^(?:(?:http:)?//staging.example.net)?/cgi-bin/ikiwiki.cgi$});
+
+# previewing a page
+$in = 'do=edit&page=a/b/c&Preview';
+run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'POST';
+ $ENV{SERVER_PORT} = '80';
+ $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi';
+ $ENV{HTTP_HOST} = 'example.com';
+ $ENV{CONTENT_LENGTH} = length $in;
+});
+%bits = parse_cgi_content($content);
+is($bits{basehref}, "http://example.com/wiki/a/b/c/");
+like($bits{stylehref}, qr{^(?:(?:http:)?//example.com)?/wiki/style.css$});
+like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$});
+like($bits{cgihref}, qr{^(?:(?:http:)?//example.com)?/cgi-bin/ikiwiki.cgi$});
+
+#######################################################################
+# site 2: static content and CGI are on different servers
+
+writefile("test.setup", "t/tmp", < on static HTML
+unlike($content, qr{]+href="(?:http:)?//cgi.example.com/ikiwiki.cgi\?do=prefs"});
+# cross-links between static pages are still relative
+like($content, qr{A: a});
+like($content, qr{B: b});
+like($content, qr{E: e});
+
+run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'GET';
+ $ENV{SERVER_PORT} = '80';
+ $ENV{SCRIPT_NAME} = '/ikiwiki.cgi';
+ $ENV{QUERY_STRING} = 'do=prefs';
+ $ENV{HTTP_HOST} = 'cgi.example.com';
+});
+%bits = parse_cgi_content($content);
+like($bits{basehref}, qr{^http://static.example.com/$});
+like($bits{stylehref}, qr{^(?:(?:http:)?//static.example.com)?/style.css$});
+like($bits{tophref}, qr{^(?:http:)?//static.example.com/$});
+like($bits{cgihref}, qr{^(?:(?:http:)?//cgi.example.com)?/ikiwiki.cgi$});
+
+# when accessed via HTTPS, links are secure
+run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'GET';
+ $ENV{SERVER_PORT} = '443';
+ $ENV{SCRIPT_NAME} = '/ikiwiki.cgi';
+ $ENV{QUERY_STRING} = 'do=prefs';
+ $ENV{HTTP_HOST} = 'cgi.example.com';
+ $ENV{HTTPS} = 'on';
+});
+%bits = parse_cgi_content($content);
+TODO: {
+local $TODO = "avoid mixed content";
+like($bits{basehref}, qr{^https://static.example.com/$});
+like($bits{stylehref}, qr{^(?:(?:https:)?//static.example.com)?/style.css$});
+like($bits{tophref}, qr{^(?:https:)?//static.example.com/$});
+like($bits{cgihref}, qr{^(?:(?:https:)?//cgi.example.com)?/ikiwiki.cgi$});
+}
+
+# when accessed via a different hostname, links to the CGI (only) should
+# stay on that host?
+$in = 'do=edit&page=a/b/c&Preview';
+run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'POST';
+ $ENV{SERVER_PORT} = '80';
+ $ENV{SCRIPT_NAME} = '/ikiwiki.cgi';
+ $ENV{HTTP_HOST} = 'staging.example.net';
+ $ENV{HTTPS} = 'on';
+ $ENV{CONTENT_LENGTH} = length $in;
+});
+like($bits{basehref}, qr{^http://static.example.com/$});
+like($bits{stylehref}, qr{^(?:(?:http:)?//static.example.com)?/style.css$});
+like($bits{tophref}, qr{^(?:http:)?//static.example.com/$});
+TODO: {
+local $TODO = "use self-referential CGI URL?";
+like($bits{cgihref}, qr{^(?:(?:http:)?//staging.example.net)?/ikiwiki.cgi$});
+}
+
+#######################################################################
+# site 3: we specifically want everything to be secure
+
+writefile("test.setup", "t/tmp", < on static HTML
+unlike($content, qr{]+href="/cgi-bin/ikiwiki.cgi\?do=prefs"});
+# cross-links between static pages are relative
+like($content, qr{A: a});
+like($content, qr{B: b});
+like($content, qr{E: e});
+
+# when accessed via HTTPS, links are secure
+run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'GET';
+ $ENV{SERVER_PORT} = '443';
+ $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi';
+ $ENV{QUERY_STRING} = 'do=prefs';
+ $ENV{HTTP_HOST} = 'example.com';
+ $ENV{HTTPS} = 'on';
+});
+%bits = parse_cgi_content($content);
+is($bits{basehref}, "https://example.com/wiki/");
+like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$});
+like($bits{tophref}, qr{^(?:/wiki|\.)/$});
+like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$});
+
+# when not accessed via HTTPS, links should still be secure
+# (but if this happens, that's a sign of web server misconfiguration)
+run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'GET';
+ $ENV{SERVER_PORT} = '80';
+ $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi';
+ $ENV{QUERY_STRING} = 'do=prefs';
+ $ENV{HTTP_HOST} = 'example.com';
+});
+%bits = parse_cgi_content($content);
+like($bits{tophref}, qr{^(?:/wiki|\.)/$});
+TODO: {
+local $TODO = "treat https in configured url, cgiurl as required?";
+is($bits{basehref}, "https://example.com/wiki/");
+like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$});
+}
+like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$});
+
+# when accessed via a different hostname, links stay on that host
+run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'GET';
+ $ENV{SERVER_PORT} = '443';
+ $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi';
+ $ENV{QUERY_STRING} = 'do=prefs';
+ $ENV{HTTP_HOST} = 'staging.example.net';
+ $ENV{HTTPS} = 'on';
+});
+%bits = parse_cgi_content($content);
+is($bits{basehref}, "https://staging.example.net/wiki/");
+like($bits{stylehref}, qr{^(?:(?:https:)?//staging.example.net)?/wiki/style.css$});
+like($bits{tophref}, qr{^(?:/wiki|\.)/$});
+like($bits{cgihref}, qr{^(?:(?:https:)?//staging.example.net)?/cgi-bin/ikiwiki.cgi$});
+
+# previewing a page
+$in = 'do=edit&page=a/b/c&Preview';
+run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'POST';
+ $ENV{SERVER_PORT} = '443';
+ $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi';
+ $ENV{HTTP_HOST} = 'example.com';
+ $ENV{CONTENT_LENGTH} = length $in;
+ $ENV{HTTPS} = 'on';
+});
+%bits = parse_cgi_content($content);
+is($bits{basehref}, "https://example.com/wiki/a/b/c/");
+like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$});
+like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$});
+like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$});
+
+#######################################################################
+# site 4 (NetBSD wiki): CGI is secure, static content doesn't have to be
+
+writefile("test.setup", "t/tmp", < on static HTML
+unlike($content, qr{]+href="https://example.com/cgi-bin/ikiwiki.cgi\?do=prefs"});
+# cross-links between static pages are relative
+like($content, qr{A: a});
+like($content, qr{B: b});
+like($content, qr{E: e});
+
+# when accessed via HTTPS, links are secure (to avoid mixed-content)
+run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'GET';
+ $ENV{SERVER_PORT} = '443';
+ $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi';
+ $ENV{QUERY_STRING} = 'do=prefs';
+ $ENV{HTTP_HOST} = 'example.com';
+ $ENV{HTTPS} = 'on';
+});
+%bits = parse_cgi_content($content);
+TODO: {
+local $TODO = "avoid mixed content";
+is($bits{basehref}, "https://example.com/wiki/");
+like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$});
+like($bits{tophref}, qr{^(?:/wiki|\.)/$});
+}
+like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$});
+
+# when not accessed via HTTPS, ???
+run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'GET';
+ $ENV{SERVER_PORT} = '80';
+ $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi';
+ $ENV{QUERY_STRING} = 'do=prefs';
+ $ENV{HTTP_HOST} = 'example.com';
+});
+%bits = parse_cgi_content($content);
+like($bits{basehref}, qr{^https?://example.com/wiki/$});
+like($bits{stylehref}, qr{^(?:(?:https?:)?//example.com)?/wiki/style.css$});
+like($bits{tophref}, qr{^(?:(?:https?://example.com)?/wiki|\.)/$});
+like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$});
+
+# when accessed via a different hostname, links stay on that host
+run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'GET';
+ $ENV{SERVER_PORT} = '443';
+ $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi';
+ $ENV{QUERY_STRING} = 'do=prefs';
+ $ENV{HTTP_HOST} = 'staging.example.net';
+ $ENV{HTTPS} = 'on';
+});
+%bits = parse_cgi_content($content);
+TODO: {
+local $TODO = "avoid mixed content";
+like($bits{basehref}, qr{^https://example.com/wiki/$});
+like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$});
+like($bits{tophref}, qr{^(?:(?:(?:https:)?//example.com)?/wiki|\.)/$});
+like($bits{cgihref}, qr{^(?:(?:https:)?//staging.example.net)?/cgi-bin/ikiwiki.cgi$});
+}
+
+# previewing a page
+$in = 'do=edit&page=a/b/c&Preview';
+run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'POST';
+ $ENV{SERVER_PORT} = '443';
+ $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi';
+ $ENV{HTTP_HOST} = 'example.com';
+ $ENV{CONTENT_LENGTH} = length $in;
+ $ENV{HTTPS} = 'on';
+});
+%bits = parse_cgi_content($content);
+TODO: {
+local $TODO = "avoid mixed content";
+is($bits{basehref}, "https://example.com/wiki/a/b/c/");
+like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$});
+}
+like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$});
+like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$});
+
+# Deliberately not testing https static content with http cgiurl,
+# because that makes remarkably little sense.
+
+#######################################################################
+# site 5: w3mmode, as documented in [[w3mmode]]
+
+writefile("test.setup", "t/tmp", < on static HTML
+unlike($content, qr{]+href="(?:file://)?/\$LIB/ikiwiki-w3m.cgi/ikiwiki.cgi\?do=prefs"});
+# cross-links between static pages are still relative
+like($content, qr{A: a});
+like($content, qr{B: b});
+like($content, qr{E: e});
+
+run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'GET';
+ $ENV{PATH_INFO} = '/ikiwiki.cgi';
+ $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki-w3m.cgi';
+ $ENV{QUERY_STRING} = 'do=prefs';
+});
+%bits = parse_cgi_content($content);
+like($bits{tophref}, qr{^(?:\Q$pwd\E/t/tmp/out|\.)/$});
+like($bits{cgihref}, qr{^(?:file://)?/\$LIB/ikiwiki-w3m.cgi/ikiwiki.cgi$});
+TODO: {
+local $TODO = "should be file:///";
+like($bits{basehref}, qr{^(?:(?:file:)?//)?\Q$pwd\E/t/tmp/out/$});
+like($bits{stylehref}, qr{^(?:(?:(?:file:)?//)?\Q$pwd\E/t/tmp/out|\.)/style.css$});
+}
+
+#######################################################################
+# site 6: we're behind a reverse-proxy
+
+writefile("test.setup", "t/tmp", < on static HTML
+unlike($content, qr{]+href="/cgi-bin/ikiwiki.cgi\?do=prefs"});
+# cross-links between static pages are relative
+like($content, qr{A: a});
+like($content, qr{B: b});
+like($content, qr{E: e});
+
+# because we are behind a reverse-proxy we must assume that
+# we're being accessed by the configured cgiurl
+run(["./t/tmp/ikiwiki.cgi"], \undef, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'GET';
+ $ENV{SERVER_PORT} = '80';
+ $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi';
+ $ENV{QUERY_STRING} = 'do=prefs';
+ $ENV{HTTP_HOST} = 'localhost';
+});
+%bits = parse_cgi_content($content);
+like($bits{tophref}, qr{^(?:/wiki|\.)/$});
+like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$});
+TODO: {
+local $TODO = "reverse-proxy support needed";
+is($bits{basehref}, "https://example.com/wiki/");
+like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$});
+}
+
+# previewing a page
+$in = 'do=edit&page=a/b/c&Preview';
+run(["./t/tmp/ikiwiki.cgi"], \$in, \$content, init => sub {
+ $ENV{REQUEST_METHOD} = 'POST';
+ $ENV{SERVER_PORT} = '80';
+ $ENV{SCRIPT_NAME} = '/cgi-bin/ikiwiki.cgi';
+ $ENV{HTTP_HOST} = 'localhost';
+ $ENV{CONTENT_LENGTH} = length $in;
+});
+%bits = parse_cgi_content($content);
+like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$});
+like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$});
+TODO: {
+local $TODO = "reverse-proxy support needed";
+is($bits{basehref}, "https://example.com/wiki/a/b/c/");
+like($bits{stylehref}, qr{^(?:(?:https:)?//example.com)?/wiki/style.css$});
+}
+
+done_testing;