id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
13941,WP_CONTENT_URL should use site_url() to support HTTPS / SSL,micropat,ryan,"On HTTPS pages, users sometimes get 'insecure content' warnings from their browser.  This is commonly caused by plugins which use the ''WP_PLUGIN_URL'' constant to get the full plugin directory URL for the sake of loading static content.

The problem is that ''WP_PLUGIN_URL'' will always return the ''siteurl'' (as specified in Settings > General) and thus does not adjust from http:... to https:... when needed.

''WP_PLUGIN_URL'' is dependent on ''WP_CONTENT_URL'', and ''WP_CONTENT_URL'' is derived from ''get_option('siteurl')'', which only returns the ''siteurl'' and does not adjust for HTTPS pages. However, the ''site_url()'' function '''does''' adjust for HTTPS pages.

So, to fully support HTTPS and directives such as ''FORCE_SSL_LOGIN'' and ''FORCE_SSL_ADMIN'', ''WP_CONTENT_URL'' needs to use the ''site_url()'' function as proposed in my riveting one-liner patch.

Related #10198 #9008",enhancement,new,normal,Future Release,General,,normal,,has-patch,micropat WordPress@… pauli.price@… jer@…