Make WordPress Core

Opened 13 years ago

Closed 13 years ago

#14835 closed defect (bug) (fixed)

Theme header_image fails to load when not in HTTPS

Reported by: dturvene's profile dturvene Owned by:
Milestone: 3.1 Priority: normal
Severity: minor Version: 3.0
Component: Themes Keywords: has-patch
Focuses: Cc:


Server Setup: Linux, Firefox/Chrome, Apache

My server uses a self-generated SSL certificate. A firefox/chrome browser profile will challenge the user first time the mysite is accessed using HTTPS to allow an insecure certificate.

Wordpress general access uses HTTP. Wordpress admin uses HTTPS.

Using Twenty Ten theme (and others) I select a new header image. This sets header_image to


in the mods_Twenty Ten.

The header_image will silently fail to load when a user has not previously accepted the private security certificate of my site.
It is retrieved in wp-includes/theme.php get_header_image().

The programmatic fix for this seems to be store references to common widgets using only HTTP and not HTTPS.

Non programmatic fixes (I implemented #2 below):

1) Generate a certificate by a public CA.

2) Modify mods_Twenty Ten using mysql:

use wordpress;

select option_name,option_value from wp_options where option_name="mods_Twenty Ten";

UPDATE wp_options SET option_value='a:2:{s:12:"header_image";s:79:"http://.../wp-content/themes/twentyten/images/header/sunset.jpg";s:18:"nav_menu_locations";a:1:{s:7:"primary";i:16;}}' WHERE option_name="mods_Twenty Ten";

Attachments (2)

14835.diff (640 bytes) - added by nacin 13 years ago.
14835.2.diff (643 bytes) - added by nacin 13 years ago.

Download all attachments as: .zip

Change History (10)

#1 @dturvene
13 years ago

  • Cc dturvene added

#2 @nacin
13 years ago

  • Milestone changed from Awaiting Review to 3.1

Since we're storing an absolute value here (and I'm not sure we can avoid that because it might be either an image in the theme versus an upload), we probably just need to do an http/https check, pick which to serve based on is_ssl().

#3 @hakre
13 years ago

Indeed, the backend must get the propper HTTP/HTTPS setting for frontend prior storing the address to the header image into the database.

#4 @jane
13 years ago

  • Keywords needs-patch added

Sounds like there's agreement on approach; anyone willing to write the patch so we can get it in before freeze?

#5 @kawauso
13 years ago

Related: #14678

#6 @nacin
13 years ago

  • Keywords has-patch added; needs-patch removed

Can someone check this?

13 years ago

13 years ago

#7 @ryan
13 years ago

Seems fine. Someday we should introduce set_url_scheme().

#8 @automattor
13 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [16846]) Make get_header_image() ssl-aware. fixes #14835.

Note: See TracTickets for help on using tickets.