Make WordPress Core

Opened 15 years ago

Closed 14 years ago

#11010 closed defect (bug) (worksforme)

adapt to https use

Reported by: brantgurga's profile brantgurga Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords: reporter-feedback
Focuses: Cc:

Description

Wordpress should be cognizant of whether https was used to access the page and use https to access content under its control to minimize mixed content warnings in browsers.

  1. Configure Internet Explorer 8 with default settings.
  2. Load https://gurganus.name/brant.
  3. Choose "Yes" about only showing the secure content.

Actual result: You receive both a degraded user experience as well as a usually unnecessary warning.

Expected result: The URLs to content under Wordpress control such as the stylesheet are switched to https so that secured and non-secured content is not mixed.

It's understandable that Wordpress can't do anything about content not under its control, but images and stylesheets are under its control generally so they should be loaded over https if the page was loaded over https.

Change History (12)

#1 @scribu
15 years ago

  • Component changed from General to HTTP
  • Keywords needs-patch added
  • Milestone changed from Unassigned to Future Release
  • Owner set to dd32

#2 @dd32
15 years ago

  • Component changed from HTTP to General
  • Owner dd32 deleted

Moving back to General to keep the HTTP component for the HTTP Access classes rather than User Experience.

#3 @pnettle
15 years ago

Just starting doing some dev stuff with wordpress so please put up with what might be stupidity, but it seems to me this is being caused by the fact that wordpress is building the url's for everything in theme.php based off of get_option('siteurl'), which stores the url as http://url.

A simple solution would be to check to see if the current url is using https, and if so replace the http:// from get_option('siteurl') with https:// in the theme.php where it generates the url. However, wouldn't it be better to have a more global function for this rather than simply putting it solely in the theme.php file? Because shouldn't most places that generate a url be using the https if it is what is currently being used?

#4 @dd32
15 years ago

Have a look into site_url(), If it doesnt support the HTTPS auto-switch, then adding it there would be the best option, and running all url's through it in one way or another IMO.

#5 @hakre
15 years ago

  • Cc hanskrentel@… added

#6 @hakre
15 years ago

  • Cc hanskrentel@… removed

I'll take a look as well because I'm currently running a scenario including https.

#7 @brantgurga
15 years ago

  • Cc brantgurga added

Cool, nice to see some activity and interest in this. This feels like it's a relatively simple change that even I could do, but someone cognizant of the Wordpress architecture needs to tell the place for this change or make a place for it. It's sounding like that is related to the site_url() function or the siteurl option.

#8 @peaceablewhale
14 years ago

  • Keywords reporter-feedback added; needs-patch removed

My WordPress 3.0 with the default Twenty Ten theme works well with both HTTP and HTTPS. Is this issue still valid?

#9 @brantgurga
14 years ago

This is still an issue as far as I can tell. Make sure you aren't letting your browser accept http content on a site accessed by https. That's where the issue is. Wordpress hardcodes to using the http version instead of switching based on how the site is accessed. As a result, you end up with an https page with http content. This allows the http content (if you allow it) to cross that security boundary. This is still happening in 3.0 on my installation.

#10 @peaceablewhale
14 years ago

I am using Internet Explorer 8, which issues warning for mixing HTTP and HTTPS content. However, it does not issue any warning to my blog and the links generated by WordPress do start with https://.

I guess it is a theme issue rather than core issue.

#12 @dd32
14 years ago

  • Milestone Future Release deleted
  • Resolution set to worksforme
  • Status changed from new to closed

Closing as worksforme.

Use the API and you'll get HTTPS links when enabled.

Note: See TracTickets for help on using tickets.