At present, plone.app.theming relies on BASE1 from the request object in order to attempt to ascertain the hostname of the request. These BASEx variables encompass the path to a Plone site/Zope install -- and are problematic when a site is hosted on a sub-directory (or sub-sub-directory, etc). Since BASE1 contains a path, this isn't necessarily going to be just the server URL.
Looking at the ZPublisher, SERVER_URL is built up from the relevant CGI-style environment variables and should be value used.
can you get this pull request up to date with master?
Ensure hostname blacklisting correctly determines incoming hostname.
@garbas Done. Rebased with master and annoying typo fixed.