Make WordPress Core

03/05/2015 02:38:59 AM (9 years ago)

In wp_get_attachment_url(), convert to HTTPS when possible.

wp_get_attachment_url(), via wp_upload_dir(), uses 'siteurl' to generate
attachment URLs. When a site is SSL-optional on the front end - ie, 'siteurl'
is non-HTTPS, but SSL is available - a number of situations can arise where
non-HTTPS attachment URLs cause browser mixed-content warnings:

a) SSL is forced in the admin and wp_get_attachment_url() is used to generate the <img> tag for an inserted image. In these cases, the post content will contain non-HTTPS. Viewing/editing this post in the Dashboard will result in non-HTTPS images being served in an SSL environment.
b) wp_get_attachment_url() is used in a theme to generate an <img> src attribute on a public page. When viewing that page over SSL, the images will have HTTP URLs.

This changeset switches attachment URLs to HTTPS when it's determined that the
host supports SSL. This happens when 'siteurl' is non-SSL, but the current page
request *is* over SSL, and the host of the current request matches the host of
the URL being generated.

Props joemcgill, boonebgorges.
Fixes #15928.

1 edited


  • trunk/src/wp-includes/post.php

    r31575 r31614  
    49814981    }
     4983    /*
     4984     * If currently on SSL, prefer HTTPS URLs when we know they're supported by the domain
     4985     * (which is to say, when they share the domain name of the current SSL page).
     4986     */
     4987    if ( is_ssl() && 'https' !== substr( $url, 0, 5 ) && parse_url( $url, PHP_URL_HOST ) === $_SERVER['HTTP_HOST'] ) {
     4988        $url = set_url_scheme( $url, 'https' );
     4989    }
    49834991    /**
    49844992     * Filter the attachment URL.
Note: See TracChangeset for help on using the changeset viewer.