WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#20137 closed defect (bug) (fixed)

Security Warning when customizing a theme

Reported by: mattrude Owned by: koopersmith
Milestone: 3.4 Priority: normal
Severity: normal Version: 3.4
Component: General Keywords: has-patch
Focuses: Cc:

Description

When a site using https, when a user chooses 'customize theme' on the themes page (version 3.4-alpha-20032) a security warning is displayed stating that some content will not be display via a secure connection.

Looking deeper, the previewed theme dose not honor "define('FORCE_SSL_ADMIN', true);" and is out put via an insecure connection.

Attachments (1)

20137.patch (619 bytes) - added by ocean90 7 years ago.

Download all attachments as: .zip

Change History (10)

#1 @nacin
7 years ago

  • Milestone changed from Awaiting Review to 3.4

#2 follow-up: @ocean90
7 years ago

And the current preview doesn't have a warning?

@ocean90
7 years ago

#3 @ocean90
7 years ago

  • Keywords has-patch added

20137.patch should work for links from get_permalink or wp_enqueue_script but not for hardcoded links.

Just a s/http/https/ could break things.

#4 in reply to: ↑ 2 @mattrude
7 years ago

  • Cc matt@… added

Replying to ocean90:

And the current preview doesn't have a warning?

Correct, in 3.3.1, no error is displayed when previewing a theme under the same setup.

#5 @ocean90
7 years ago

  • Owner set to koopersmith
  • Status changed from new to assigned

#6 @koopersmith
7 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In [20051]:

Theme Customizer: Load the preview iframe with the same scheme as the admin to prevent security warnings. props ocean90. fixes #20137, see #19910.

#7 follow-up: @nacin
7 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Is there a reason for get_home_url( null, '/', $scheme ) rather than home_url( '/', $scheme )?

#8 @koopersmith
7 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In [20057]:

Theme Customizer: Use home_url instead of get_home_url. props nacin, fixes #20137, see #19910.

#9 in reply to: ↑ 7 @koopersmith
7 years ago

Replying to nacin:

Is there a reason for get_home_url( null, '/', $scheme ) rather than home_url( '/', $scheme )?

Survey says... “No.” [20057]

Note: See TracTickets for help on using tickets.