Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#14835 closed defect (bug) (fixed)

Theme header_image fails to load when not in HTTPS

Reported by: dturvene Owned by:
Milestone: 3.1 Priority: normal
Severity: minor Version: 3.0
Component: Themes Keywords: has-patch
Focuses: Cc:


Server Setup: Linux, Firefox/Chrome, Apache

My server uses a self-generated SSL certificate. A firefox/chrome browser profile will challenge the user first time the mysite is accessed using HTTPS to allow an insecure certificate.

Wordpress general access uses HTTP. Wordpress admin uses HTTPS.

Using Twenty Ten theme (and others) I select a new header image. This sets header_image to


in the mods_Twenty Ten.

The header_image will silently fail to load when a user has not previously accepted the private security certificate of my site.
It is retrieved in wp-includes/theme.php get_header_image().

The programmatic fix for this seems to be store references to common widgets using only HTTP and not HTTPS.

Non programmatic fixes (I implemented #2 below):

1) Generate a certificate by a public CA.

2) Modify mods_Twenty Ten using mysql:

use wordpress;

select option_name,option_value from wp_options where option_name="mods_Twenty Ten";

UPDATE wp_options SET option_value='a:2:{s:12:"header_image";s:79:"http://.../wp-content/themes/twentyten/images/header/sunset.jpg";s:18:"nav_menu_locations";a:1:{s:7:"primary";i:16;}}' WHERE option_name="mods_Twenty Ten";

Attachments (2)

14835.diff (640 bytes) - added by nacin 5 years ago.
14835.2.diff (643 bytes) - added by nacin 5 years ago.

Download all attachments as: .zip

Change History (10)

comment:1 @dturvene5 years ago

  • Cc dturvene added

comment:2 @nacin5 years ago

  • Milestone changed from Awaiting Review to 3.1

Since we're storing an absolute value here (and I'm not sure we can avoid that because it might be either an image in the theme versus an upload), we probably just need to do an http/https check, pick which to serve based on is_ssl().

comment:3 @hakre5 years ago

Indeed, the backend must get the propper HTTP/HTTPS setting for frontend prior storing the address to the header image into the database.

comment:4 @jane5 years ago

  • Keywords needs-patch added

Sounds like there's agreement on approach; anyone willing to write the patch so we can get it in before freeze?

comment:5 @kawauso5 years ago

Related: #14678

comment:6 @nacin5 years ago

  • Keywords has-patch added; needs-patch removed

Can someone check this?

@nacin5 years ago

@nacin5 years ago

comment:7 @ryan5 years ago

Seems fine. Someday we should introduce set_url_scheme().

comment:8 @automattor5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [16846]) Make get_header_image() ssl-aware. fixes #14835.

Note: See TracTickets for help on using tickets.