You have misunderstood and jumped to a conclusion. I had also not pinned the problem down, which I have now.
I do not use live_site. In the txt attachment earlier I reference the code in comprofiler.php where CB calls the CB framework ->getCfg('live_site'). This uses the Joomla API, yes, I know, hence the discussion of JURI::base(). I carried on the naming that CB has used: 'live_site'.
In fact getCfg('live_site') (the Joomla API) is generating the correct https:// address but CB isn't checking it properly. Let me explain further.
I use mod_cblogin to login via https:// but then, in general, redirect back to http:// as the whole site doesn't need to be encrypted. This means that a the time the return address is checked, CB is logging the user in via https://. Thus the return address can be http:// but CB_framework->getCfg('live_site') can be https://.
CB doesn't check this when testing for the redirect, it just test the redirect address against CB_framework->getCfg('live_site').
So, without my modification, if I login from a page via https:// I get redirected to the homepage and if I echo out the return value and CB_framework->getCfg('live_site') they are as below:
echo CB $live_site: https ://www.mysite.com
echo return: http ://www.mysite.com/news/latest
if I login from a page via http:// I get properly redirected to the originating page and if I echo out the return value and CB_framework->getCfg('live_site') they are as below:
echo CB $live_site: http ://www.mysite.com
echo return: http ://www.mysite.com/news/latest
Now do you see?