#11009 closed defect (bug) (fixed)
screenshots of plugins from wordpress.org load over http instead of https when FORCE_SSL_ADMIN is enabled
Reported by: | brantgurga | Owned by: | nacin |
---|---|---|---|
Milestone: | 3.7 | Priority: | normal |
Severity: | normal | Version: | 2.9 |
Component: | WordPress.org Site | Keywords: | dev-feedback |
Focuses: | Cc: |
Description
- Enabled FORCE_SSL_ADMIN in Wordpress on an appropriate host.
- Use default settings in Internet Explorer 8.
- Go to the plugin installation page.
- Choose a plugin from wordpress.org to install.
Actual Result:
You get a mixed mode warning because the screenshots and possibly other content loaded from wordpress.org are loaded over http instead of https.
Expected Result:
Screenshots are loaded over https so that content is not mixed.
Attachments (1)
Change History (13)
#3
@
15 years ago
Other browsers can warn about this situation as well and it is a bug not a feature request. The reason is that when a page is loaded over https, there is a trust associated with it being from where it claims to be from. As soon as you load non-https content into the page, that non-https content can potentially handle all the interaction and appearance of the page.
That said, it appears that a change, either in Wordpress itself or the Wordpress site has worked around/fixed this issue by displaying the alt text instead of the screenshots in this scenario.
This is as of Wordpress 2.9.1 if it is a change in the Wordpress code itself for reference.
#5
@
15 years ago
- Keywords dev-feedback added
- Type changed from feature request to defect (bug)
- Version set to 2.9
There hadnt been any changes here i dont think, It would've been related to either the browser preventing non-secure items from loading or the wordpress.org site being unavailable for some reason.
This will require a change on the WordPress.org servers as well to allow screenshots to be loaded over HTTPS as well, this is currently not possible.
#7
@
11 years ago
- Milestone changed from Future Release to 3.7
It would be good to take a look at this during 3.7 as part of the investigative work I have started to see if we can make all the requests to api.wordpress.org over https.
In theory that work, which is currently testable via the Beta Tester plugin, should make us load screenshots over SSL if I fixed all the api responses correctly :)
#8
@
11 years ago
This is still an issue.
The screenshot images have "http" instead of "https". In the file wp-admin/includes/plugin-install.php the "plugins_api" function makes a call to a WordPress service that returns the "Details" for a plugin. Those details hardcode an http protocol for assets. Simply replacing http with https in core will not address the issue because the static-asset CDN (eg: "http://s-plugins.wordpress.org/...") does not return a valid SSL certificate.
Here is an example of what happens when https is used to access the image:
Until the CDN can serve SSL traffic there is no point in trying to resolve this in core.
#10
@
11 years ago
- Owner set to nacin
- Resolution set to fixed
- Status changed from new to closed
In 25691:
#11
follow-up:
↓ 12
@
11 years ago
Rather than sending the SSL status to the API and the API returning SSL or not screenshot URLs as appropriate, shouldn't the API return both SSL and non-SSL screenshot URLs each time in two separate fields (eg. screenshots
and screenshots_ssl
? Then the site would decide which to use based on is_SSL()
.
#12
in reply to:
↑ 11
@
11 years ago
Replying to johnbillion:
Rather than sending the SSL status to the API and the API returning SSL or not screenshot URLs as appropriate, shouldn't the API return both SSL and non-SSL screenshot URLs each time in two separate fields (eg.
screenshots
andscreenshots_ssl
? Then the site would decide which to use based onis_SSL()
.
It's inelegant how we return a block of content here, rather than an array of screenshot data, which is why I opted for just tweaking the content. 11009.diff is what the patch would look like.
The tickets description might be somehow incomplete. Mixing does mean that you are mixing files from different hosts as well.
Additionally mixing content is not a bug. What the reporter wants is a new feature that prevents a certain message in a certain browser. This might increase usability wihtin certain usergroups. But this is not a bug.