WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 4 years ago

#21919 closed defect (bug) (fixed)

Theme Customizer: loading preview with FORCE_SSL_ADMIN does not work

Reported by: Jasonheffner Owned by:
Milestone: 4.0 Priority: normal
Severity: normal Version: 3.4
Component: Customize Keywords: has-patch
Focuses: Cc:

Description

When FORCE_SSL_ADMIN is configured theme customizer JQuery will try and load the theme preview over ssl and get a 302 redirect error.

The path is

https://site.com/?customize_messenger_channel=preview...

redirects to

http://site.com/?customize_messenger_channel=preview...

since site is non-SSL.

Attachments (1)

21919.diff (663 bytes) - added by johnbillion 4 years ago.

Download all attachments as: .zip

Change History (14)

#1 @cleanshooter
5 years ago

I can confirm this bug. I have 3.7 installed on an IIS server. I was thinking it might be getting re-written by my web.config but I checked and it is not.

It would seem that WordPress is re-writing the url to HTTPS when in the admin (a.k.a. customizer) but trying to load a page, like your homepage, that page will ONLY load over http. I'm not sure if it would be best to remove customizer from the force_ssl_admin list or fix the way WordPress loads content when it should be https.

Still have more digging to do on this issue.

Last edited 5 years ago by cleanshooter (previous) (diff)

#2 @jeremyfelt
5 years ago

  • Component changed from Multisite to Appearance

Related: #20702

#3 @nacin
5 years ago

  • Keywords close added
  • Version changed from 3.4.2 to 3.4

Mixed/forced SSL was tested extensively when the customizer was originally built. Based on [20829] (both the commit message and code comment), this is intended behavior. I'm not sure there's anything we can or should do here.

Jasonheffner, sorry you did not get a reply for so long.

#4 @jasonheffner
5 years ago

Nacin Thanks, mixed ssl is difficult to support, but I can't believe the desired effect would be to break the preview in mixed mode if FORCE_SSL_ADMIN is set. I haven't tried to replicate this bug again recently. I ended up turning off force SSL admin parameter and instead implementing the desired effect with the web server and our authentication system, so it's no longer an issue for us at all.

#5 @johnbillion
4 years ago

  • Cc johnbillion added

#6 @janreim
4 years ago

Just noticed this behavior in WP 3.9 Beta 2

Console Output:

Loading mixed (insecure) display content on a secure page "http://wp-themes.com/wp-content/themes/twentyeleven/screenshot.png

Blocked loading mixed active content "http://wp-themes.com/twentyeleven"

If Theme-Previews were loaded from wordpress.org instead of wp-themes.com it should work, since wordpress.org is available over https. Or am I missing something?

#7 @westonruter
4 years ago

  • Keywords close removed
  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

I just tried opening a site in the Customizer with FORCE_SSL_ADMIN, and the preview is loaded properly. The Ajax request is using HTTPS as required.

@janreim: Your issue seems unrelated, as there is probably some theme screenshot on the Themes page that is referencing an HTTP URL; when you later accessed the Live Preview theme switch, the HTTPS security warning remained on the page because the Customizer actually gets loaded into an iframe at that point.

#8 @johnbillion
4 years ago

  • Milestone set to Future Release
  • Resolution worksforme deleted
  • Status changed from closed to reopened

As janreim noted, this is still an issue when previewing themes from the 'Add Themes' screen. Theme previews are served from http://wp-themes.com which get blocked by the browser.

See #META344 for the meta ticket.

#9 @Otto42
4 years ago

If Theme-Previews were loaded from wordpress.org instead of wp-themes.com it should work, since wordpress.org is available over https. Or am I missing something?

We cannot run the previewer on the WordPress.org domain, for security reasons. It needs to stay on its own domain.

We need to get systems to fix the SSL certificate issues with that domain before we can correct the issue.

#10 @Otto42
4 years ago

The SSL certificate issues have been fixed. There's still a few more mixed-content fixes to be made there, but wp-themes.com can now be reached properly via https and has a proper certificate.

@johnbillion
4 years ago

#11 @johnbillion
4 years ago

  • Keywords has-patch commit added
  • Milestone changed from Future Release to 4.0

21919.diff is all that's needed on the core side of things. The rest of this is down to wp-themes.com, which is being handled in #META344.

#12 @johnbillion
4 years ago

In 28974:

Use the admin scheme for theme preview URLs when installing new themes. See #21919.

#13 @johnbillion
4 years ago

  • Keywords commit removed
  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.