Swagger UI attempts to load petstore on xhr.readyState.HEADERS_RECEIVED

My server is hosting HTTPS with swagger-tools, and when I navigate to my swagger-ui path (the default https://localhost:[port]/docs), my browser (Chrome) warns me: "Insecure content blocked". This is because the page is attempting a XHR to http://petstore.swagger.io/v2/swagger.json.

swagger-tools/middleware/swagger-ui/index.html

Lines 95 to 105 in 361c1f6

    
           xhr.onreadystatechange = function () { 
        
             var url = 'http://petstore.swagger.io/v2/swagger.json'; 
        
             if (xhr.readyState === XMLHttpRequest.DONE) { 
        
               url = xhr.getResponseHeader('Swagger-API-Docs-URL'); 
        
             } else { 
        
               console.log('Unable to get the Swagger UI URL from the server (%s): %s', xhr.status, xhr.responseText); 
        
             } 
        
             initSwaggerUi(url); 
        
           };

It seems that the xhr.onreadystatechange callback is called twice: once for HEADERS_RECEIVED, then again for DONE. On the first call, the code proceeds to call initSwaggerUi(url) with the petstore URL because the xhr.readyState is not yet DONE. The petstore JSON is hosted via HTTP, and since Chrome is showing a page over HTTPS, it warns the user of a fishy smell.
Besides the warning, the rest of the page behavior is top notch.
Is this petstore call intentional? I didn't see any documentation around it.

This should be done in swagger-ui and not in swagger-tools.

	xhr.onreadystatechange = function () {
	var url = 'http://petstore.swagger.io/v2/swagger.json';

	if (xhr.readyState === XMLHttpRequest.DONE) {
	url = xhr.getResponseHeader('Swagger-API-Docs-URL');
	} else {
	console.log('Unable to get the Swagger UI URL from the server (%s): %s', xhr.status, xhr.responseText);
	}

	initSwaggerUi(url);
	};