WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 22 months ago

Last modified 22 months ago

#11009 closed defect (bug) (fixed)

screenshots of plugins from wordpress.org load over http instead of https when FORCE_SSL_ADMIN is enabled

Reported by: brantgurga Owned by: nacin
Milestone: 3.7 Priority: normal
Severity: normal Version: 2.9
Component: WordPress.org site Keywords: dev-feedback
Focuses: Cc:

Description

  1. Enabled FORCE_SSL_ADMIN in Wordpress on an appropriate host.
  2. Use default settings in Internet Explorer 8.
  3. Go to the plugin installation page.
  4. Choose a plugin from wordpress.org to install.

Actual Result:
You get a mixed mode warning because the screenshots and possibly other content loaded from wordpress.org are loaded over http instead of https.

Expected Result:
Screenshots are loaded over https so that content is not mixed.

Attachments (1)

11009.diff (1.2 KB) - added by nacin 22 months ago.

Download all attachments as: .zip

Change History (13)

comment:1 @scribu6 years ago

  • Component changed from General to Upgrade/Install
  • Milestone set to Future Release

comment:2 @hakre6 years ago

  • Type changed from defect (bug) to feature request

The tickets description might be somehow incomplete. Mixing does mean that you are mixing files from different hosts as well.

Additionally mixing content is not a bug. What the reporter wants is a new feature that prevents a certain message in a certain browser. This might increase usability wihtin certain usergroups. But this is not a bug.

comment:3 @brantgurga6 years ago

Other browsers can warn about this situation as well and it is a bug not a feature request. The reason is that when a page is loaded over https, there is a trust associated with it being from where it claims to be from. As soon as you load non-https content into the page, that non-https content can potentially handle all the interaction and appearance of the page.

That said, it appears that a change, either in Wordpress itself or the Wordpress site has worked around/fixed this issue by displaying the alt text instead of the screenshots in this scenario.

This is as of Wordpress 2.9.1 if it is a change in the Wordpress code itself for reference.

comment:4 @brantgurga6 years ago

  • Cc brantgurga added

comment:5 @dd325 years ago

  • Keywords dev-feedback added
  • Type changed from feature request to defect (bug)
  • Version set to 2.9

There hadnt been any changes here i dont think, It would've been related to either the browser preventing non-secure items from loading or the wordpress.org site being unavailable for some reason.

This will require a change on the WordPress.org servers as well to allow screenshots to be loaded over HTTPS as well, this is currently not possible.

comment:6 @iseulde2 years ago

  • Component changed from Upgrade/Install to WordPress.org site

comment:7 @westi2 years ago

  • Milestone changed from Future Release to 3.7

It would be good to take a look at this during 3.7 as part of the investigative work I have started to see if we can make all the requests to api.wordpress.org over https.

In theory that work, which is currently testable via the Beta Tester plugin, should make us load screenshots over SSL if I fixed all the api responses correctly :)

comment:8 @thesunpaladin22 months ago

This is still an issue.

The screenshot images have "http" instead of "https". In the file wp-admin/includes/plugin-install.php the "plugins_api" function makes a call to a WordPress service that returns the "Details" for a plugin. Those details hardcode an http protocol for assets. Simply replacing http with https in core will not address the issue because the static-asset CDN (eg: "http://s-plugins.wordpress.org/...") does not return a valid SSL certificate.

Here is an example of what happens when https is used to access the image:
http://thesunpaladin.files.wordpress.com/2013/09/screen-shot-2013-09-28-at-6-12-00-pm.png

Until the CDN can serve SSL traffic there is no point in trying to resolve this in core.

comment:10 @nacin22 months ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 25691:

Send current SSL status to the plugin information API endpoint so we can render screenshots over SSL if appropriate. fixes #11009.

comment:11 follow-up: @johnbillion22 months ago

Rather than sending the SSL status to the API and the API returning SSL or not screenshot URLs as appropriate, shouldn't the API return both SSL and non-SSL screenshot URLs each time in two separate fields (eg. screenshots and screenshots_ssl? Then the site would decide which to use based on is_SSL().

@nacin22 months ago

comment:12 in reply to: ↑ 11 @nacin22 months ago

Replying to johnbillion:

Rather than sending the SSL status to the API and the API returning SSL or not screenshot URLs as appropriate, shouldn't the API return both SSL and non-SSL screenshot URLs each time in two separate fields (eg. screenshots and screenshots_ssl? Then the site would decide which to use based on is_SSL().

It's inelegant how we return a block of content here, rather than an array of screenshot data, which is why I opted for just tweaking the content. 11009.diff is what the patch would look like.

Note: See TracTickets for help on using tickets.