WordPress.org

Make WordPress Core


Ignore:
Timestamp:
01/29/2021 07:09:49 PM (12 months ago)
Author:
flixos90
Message:

Security, Site Health: Improve accuracy in messaging about HTTPS support.

Following up on [49904], this changeset focuses mainly on improving the guidance about the current state of HTTPS in Site Health.

  • Correct the existing copy to indicate that both the Site Address and the WordPress Address need to be changed to fully switch to HTTPS.
  • Link to the respective input fields via anchor links rather than to the overall General Settings screen.
  • Show different copy if the site is using HTTPS for the WordPress Address (for example to have only the administration panel in HTTPS), but not for the Site Address.
  • Inform the user about potential problems even when the site is already using HTTPS, for example if the SSL certificate was no longer valid.
  • Always rely on fresh information for determining HTTPS support issues in Site Health, and therefore change the https_status test to become asynchronous.
  • Rename the new private wp_is_owned_html_output() function to a more appropriate wp_is_local_html_output().

Props adamsilverstein, flixos90, johnjamesjacoby, timothyblynjacobs.
See #47577.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/https-detection.php

    r49909 r50072  
    1010 * Checks whether the website is using HTTPS.
    1111 *
    12  * This is based on whether the home and site URL are using HTTPS.
    13  *
    14  * @since 5.7.0
     12 * This is based on whether both the home and site URL are using HTTPS.
     13 *
     14 * @since 5.7.0
     15 * @see wp_is_home_url_using_https()
     16 * @see wp_is_site_url_using_https()
    1517 *
    1618 * @return bool True if using HTTPS, false otherwise.
    1719 */
    1820function wp_is_using_https() {
    19     if ( 'https' !== wp_parse_url( home_url(), PHP_URL_SCHEME ) ) {
     21    if ( ! wp_is_home_url_using_https() ) {
    2022        return false;
    2123    }
    2224
     25    return wp_is_site_url_using_https();
     26}
     27
     28/**
     29 * Checks whether the current site URL is using HTTPS.
     30 *
     31 * @since 5.7.0
     32 * @see home_url()
     33 *
     34 * @return bool True if using HTTPS, false otherwise.
     35 */
     36function wp_is_home_url_using_https() {
     37    return 'https' === wp_parse_url( home_url(), PHP_URL_SCHEME );
     38}
     39
     40/**
     41 * Checks whether the current site's URL where WordPress is stored is using HTTPS.
     42 *
     43 * This checks the URL where WordPress application files (e.g. wp-blog-header.php or the wp-admin/ folder) are
     44 * accessible.
     45 *
     46 * @since 5.7.0
     47 * @see site_url()
     48 *
     49 * @return bool True if using HTTPS, false otherwise.
     50 */
     51function wp_is_site_url_using_https() {
    2352    // Use direct option access for 'siteurl' and manually run the 'site_url'
    24     // filter because site_url() will adjust the scheme based on what the
     53    // filter because `site_url()` will adjust the scheme based on what the
    2554    // current request is using.
    2655    /** This filter is documented in wp-includes/link-template.php */
    2756    $site_url = apply_filters( 'site_url', get_option( 'siteurl' ), '', null, null );
    2857
    29     if ( 'https' !== wp_parse_url( $site_url, PHP_URL_SCHEME ) ) {
    30         return false;
    31     }
    32 
    33     return true;
     58    return 'https' === wp_parse_url( $site_url, PHP_URL_SCHEME );
    3459}
    3560
     
    105130        if ( 200 !== wp_remote_retrieve_response_code( $response ) ) {
    106131            $support_errors->add( 'bad_response_code', wp_remote_retrieve_response_message( $response ) );
    107         } elseif ( false === wp_is_owned_html_output( wp_remote_retrieve_body( $response ) ) ) {
     132        } elseif ( false === wp_is_local_html_output( wp_remote_retrieve_body( $response ) ) ) {
    108133            $support_errors->add( 'bad_response_source', __( 'It looks like the response did not come from this site.' ) );
    109134        }
     
    160185 * @return bool|null True/false for whether HTML was generated by this site, null if unable to determine.
    161186 */
    162 function wp_is_owned_html_output( $html ) {
     187function wp_is_local_html_output( $html ) {
    163188    // 1. Check if HTML includes the site's Really Simple Discovery link.
    164189    if ( has_action( 'wp_head', 'rsd_link' ) ) {
Note: See TracChangeset for help on using the changeset viewer.