Opened 15 years ago
Closed 14 years ago
#11010 closed defect (bug) (worksforme)
adapt to https use
Reported by: | brantgurga | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | General | Keywords: | reporter-feedback |
Focuses: | Cc: |
Description
Wordpress should be cognizant of whether https was used to access the page and use https to access content under its control to minimize mixed content warnings in browsers.
- Configure Internet Explorer 8 with default settings.
- Load https://gurganus.name/brant.
- Choose "Yes" about only showing the secure content.
Actual result: You receive both a degraded user experience as well as a usually unnecessary warning.
Expected result: The URLs to content under Wordpress control such as the stylesheet are switched to https so that secured and non-secured content is not mixed.
It's understandable that Wordpress can't do anything about content not under its control, but images and stylesheets are under its control generally so they should be loaded over https if the page was loaded over https.
Change History (12)
#1
@
15 years ago
- Component changed from General to HTTP
- Keywords needs-patch added
- Milestone changed from Unassigned to Future Release
- Owner set to dd32
#3
@
15 years ago
Just starting doing some dev stuff with wordpress so please put up with what might be stupidity, but it seems to me this is being caused by the fact that wordpress is building the url's for everything in theme.php based off of get_option('siteurl'), which stores the url as http://url.
A simple solution would be to check to see if the current url is using https, and if so replace the http:// from get_option('siteurl') with https:// in the theme.php where it generates the url. However, wouldn't it be better to have a more global function for this rather than simply putting it solely in the theme.php file? Because shouldn't most places that generate a url be using the https if it is what is currently being used?
#4
@
15 years ago
Have a look into site_url(), If it doesnt support the HTTPS auto-switch, then adding it there would be the best option, and running all url's through it in one way or another IMO.
#6
@
15 years ago
- Cc hanskrentel@… removed
I'll take a look as well because I'm currently running a scenario including https.
#7
@
15 years ago
- Cc brantgurga added
Cool, nice to see some activity and interest in this. This feels like it's a relatively simple change that even I could do, but someone cognizant of the Wordpress architecture needs to tell the place for this change or make a place for it. It's sounding like that is related to the site_url() function or the siteurl option.
#8
@
14 years ago
- Keywords reporter-feedback added; needs-patch removed
My WordPress 3.0 with the default Twenty Ten theme works well with both HTTP and HTTPS. Is this issue still valid?
#9
@
14 years ago
This is still an issue as far as I can tell. Make sure you aren't letting your browser accept http content on a site accessed by https. That's where the issue is. Wordpress hardcodes to using the http version instead of switching based on how the site is accessed. As a result, you end up with an https page with http content. This allows the http content (if you allow it) to cross that security boundary. This is still happening in 3.0 on my installation.
Moving back to General to keep the HTTP component for the HTTP Access classes rather than User Experience.