If /nf/tool_icon_css is served from an HTTPS URL, it should try to use https URLs in its output. Or something like that, so that browsers don't give mixed-security content warnings.
The call chain to generate these URLs is deep. A few key stops along the way are:
All the code to generate the URLs was working correctly, we were just caching g.tool_icon_css too heavily with @LazyProperty so the current scheme wasn't being used after the first hit.
Also, this only occurs when ew.url_base and/or static.url_base are set to a different location (e.g. using a CDN) like ://my.cdn/allura/nf/%(build_key)s/_ew_/
Another commit on db/7009 to fix the same over-caching issue, but this time for 3rd party Apps' icon urls.