+like($bits{tophref}, qr{^(?:/wiki|\.\./\.\./\.\.)/$});
+like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$});
+
+write_setup_file(
+ html5 => 1,
+ url => "http://example.com/wiki/",
+ cgiurl => "https://example.com/cgi-bin/ikiwiki.cgi",
+);
+thoroughly_rebuild();
+check_cgi_mode_bits();
+# url and cgiurl are on the same host but different schemes
+check_generated_content(qr{<a[^>]+href="https://example.com/cgi-bin/ikiwiki.cgi\?do=prefs"});
+
+# when accessed via HTTPS, links are secure (to avoid mixed-content)
+%bits = parse_cgi_content(run_cgi(is_https => 1));
+is($bits{basehref}, "/wiki/");
+is($bits{stylehref}, "/wiki/style.css");
+is($bits{tophref}, "/wiki/");
+like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$});
+
+# when not accessed via HTTPS, ???
+%bits = parse_cgi_content(run_cgi());
+like($bits{basehref}, qr{^(?:https?://example.com)?/wiki/$});
+like($bits{stylehref}, qr{^(?:(?:https?:)?//example.com)?/wiki/style.css$});
+like($bits{tophref}, qr{^(?:(?:https?://example.com)?/wiki|\.)/$});
+like($bits{cgihref}, qr{^(?:(?:https:)?//example.com)?/cgi-bin/ikiwiki.cgi$});
+
+# when accessed via a different hostname, links stay on that host
+%bits = parse_cgi_content(run_cgi(is_https => 1, HTTP_HOST => 'staging.example.net'));
+# because the static and dynamic stuff is on the same server, we assume that
+# both are also on the staging server
+is($bits{basehref}, "/wiki/");
+is($bits{stylehref}, "/wiki/style.css");
+like($bits{tophref}, qr{^(?:/wiki|\.)/$});
+like($bits{cgihref}, qr{^(?:(?:https:)?//(?:example\.com|staging\.example\.net))?/cgi-bin/ikiwiki.cgi$});
+TODO: {
+local $TODO = "this should really point back to itself but currently points to example.com";
+like($bits{cgihref}, qr{^(?:(?:https:)?//staging.example.net)?/cgi-bin/ikiwiki.cgi$});