Theme header_image fails to load when not in HTTPS

[dturvene]

Server Setup: Linux, Firefox/Chrome, Apache

My server uses a self-generated SSL certificate. A firefox/chrome browser profile will challenge the user first time the mysite is accessed using HTTPS to allow an insecure certificate.

Wordpress general access uses HTTP. Wordpress admin uses HTTPS.

Using Twenty Ten theme (and others) I select a new header image. This sets header_image to

​https://../wp-content/themes/twentyten/images/headers/sunset.jpg

in the mods_Twenty Ten.

The header_image will silently fail to load when a user has not previously accepted the private security certificate of my site.
It is retrieved in wp-includes/theme.php get_header_image().

The programmatic fix for this seems to be store references to common widgets using only HTTP and not HTTPS.

Non programmatic fixes (I implemented #2 below):

1) Generate a certificate by a public CA.

2) Modify mods_Twenty Ten using mysql:

use wordpress;

select option_name,option_value from wp_options where option_name="mods_Twenty Ten";

UPDATE wp_options SET option_value='a:2:{s:12:"header_image";s:79:"http://.../wp-content/themes/twentyten/images/header/sunset.jpg";s:18:"nav_menu_locations";a:1:{s:7:"primary";i:16;}}' WHERE option_name="mods_Twenty Ten";

[nacin]

Since we're storing an absolute value here (and I'm not sure we can avoid that because it might be either an image in the theme versus an upload), we probably just need to do an http/https check, pick which to serve based on is_ssl().

[hakre]

Indeed, the backend must get the propper HTTP/HTTPS setting for frontend prior storing the address to the header image into the database.

[jane]

Sounds like there's agreement on approach; anyone willing to write the patch so we can get it in before freeze?

[kawauso]

Related: #14678

[nacin]

Can someone check this?

[ryan]

Seems fine. Someday we should introduce set_url_scheme().

[automattor]

(In [16846]) Make get_header_image() ssl-aware. fixes #14835.