Changeset 50072 for trunk/src/wp-includes/https-detection.php

Timestamp:

01/29/2021 07:09:49 PM (4 years ago)

Author:

flixos90

Message:

Security, Site Health: Improve accuracy in messaging about HTTPS support.

Following up on [49904], this changeset focuses mainly on improving the guidance about the current state of HTTPS in Site Health.

• Correct the existing copy to indicate that both the Site Address and the WordPress Address need to be changed to fully switch to HTTPS.
• Link to the respective input fields via anchor links rather than to the overall General Settings screen.
• Show different copy if the site is using HTTPS for the WordPress Address (for example to have only the administration panel in HTTPS), but not for the Site Address.
• Inform the user about potential problems even when the site is already using HTTPS, for example if the SSL certificate was no longer valid.
• Always rely on fresh information for determining HTTPS support issues in Site Health, and therefore change the https_status test to become asynchronous.
• Rename the new private wp_is_owned_html_output() function to a more appropriate wp_is_local_html_output().

Props adamsilverstein, flixos90, johnjamesjacoby, timothyblynjacobs.
See #47577.

File:

• trunk/src/wp-includes/https-detection.php (modified) (3 diffs)

trunk/src/wp-includes/https-detection.php

@@ -10 +10 @@
  * Checks whether the website is using HTTPS.
  *
- * This is based on whether the home and site URL are using HTTPS.
- *
- * @since 5.7.0
+ * This is based on whether both the home and site URL are using HTTPS.
+ *
+ * @since 5.7.0
+ * @see wp_is_home_url_using_https()
+ * @see wp_is_site_url_using_https()
  *
  * @return bool True if using HTTPS, false otherwise.
  */
 function wp_is_using_https() {
-    if ( 'https' !== wp_parse_url( home_url(), PHP_URL_SCHEME ) ) {
+    if ( ! wp_is_home_url_using_https() ) {
         return false;
     }
 
+    return wp_is_site_url_using_https();
+}
+
+/**
+ * Checks whether the current site URL is using HTTPS.
+ *
+ * @since 5.7.0
+ * @see home_url()
+ *
+ * @return bool True if using HTTPS, false otherwise.
+ */
+function wp_is_home_url_using_https() {
+    return 'https' === wp_parse_url( home_url(), PHP_URL_SCHEME );
+}
+
+/**
+ * Checks whether the current site's URL where WordPress is stored is using HTTPS.
+ *
+ * This checks the URL where WordPress application files (e.g. wp-blog-header.php or the wp-admin/ folder) are
+ * accessible.
+ *
+ * @since 5.7.0
+ * @see site_url()
+ *
+ * @return bool True if using HTTPS, false otherwise.
+ */
+function wp_is_site_url_using_https() {
     // Use direct option access for 'siteurl' and manually run the 'site_url'
-    // filter because site_url() will adjust the scheme based on what the
+    // filter because `site_url()` will adjust the scheme based on what the
     // current request is using.
     /** This filter is documented in wp-includes/link-template.php */
     $site_url = apply_filters( 'site_url', get_option( 'siteurl' ), '', null, null );
 
-    if ( 'https' !== wp_parse_url( $site_url, PHP_URL_SCHEME ) ) {
-        return false;
-    }
-
-    return true;
+    return 'https' === wp_parse_url( $site_url, PHP_URL_SCHEME );
 }
 
@@ -105 +130 @@
         if ( 200 !== wp_remote_retrieve_response_code( $response ) ) {
             $support_errors->add( 'bad_response_code', wp_remote_retrieve_response_message( $response ) );
-        } elseif ( false === wp_is_owned_html_output( wp_remote_retrieve_body( $response ) ) ) {
+        } elseif ( false === wp_is_local_html_output( wp_remote_retrieve_body( $response ) ) ) {
             $support_errors->add( 'bad_response_source', __( 'It looks like the response did not come from this site.' ) );
         }
@@ -160 +185 @@
  * @return bool|null True/false for whether HTML was generated by this site, null if unable to determine.
  */
-function wp_is_owned_html_output( $html ) {
+function wp_is_local_html_output( $html ) {
     // 1. Check if HTML includes the site's Really Simple Discovery link.
     if ( has_action( 'wp_head', 'rsd_link' ) ) {