Opened 12 years ago
Closed 10 years ago
#21919 closed defect (bug) (fixed)
Theme Customizer: loading preview with FORCE_SSL_ADMIN does not work
Reported by: | Jasonheffner | Owned by: | |
---|---|---|---|
Milestone: | 4.0 | Priority: | normal |
Severity: | normal | Version: | 3.4 |
Component: | Customize | Keywords: | has-patch |
Focuses: | Cc: |
Description
When FORCE_SSL_ADMIN is configured theme customizer JQuery will try and load the theme preview over ssl and get a 302 redirect error.
The path is
https://site.com/?customize_messenger_channel=preview...
redirects to
http://site.com/?customize_messenger_channel=preview...
since site is non-SSL.
Attachments (1)
Change History (14)
#3
@
11 years ago
- Keywords close added
- Version changed from 3.4.2 to 3.4
Mixed/forced SSL was tested extensively when the customizer was originally built. Based on [20829] (both the commit message and code comment), this is intended behavior. I'm not sure there's anything we can or should do here.
Jasonheffner, sorry you did not get a reply for so long.
#4
@
11 years ago
Nacin Thanks, mixed ssl is difficult to support, but I can't believe the desired effect would be to break the preview in mixed mode if FORCE_SSL_ADMIN is set. I haven't tried to replicate this bug again recently. I ended up turning off force SSL admin parameter and instead implementing the desired effect with the web server and our authentication system, so it's no longer an issue for us at all.
#6
@
11 years ago
Just noticed this behavior in WP 3.9 Beta 2
Console Output:
Loading mixed (insecure) display content on a secure page "http://wp-themes.com/wp-content/themes/twentyeleven/screenshot.png Blocked loading mixed active content "http://wp-themes.com/twentyeleven"
If Theme-Previews were loaded from wordpress.org instead of wp-themes.com it should work, since wordpress.org is available over https. Or am I missing something?
#7
@
10 years ago
- Keywords close removed
- Milestone Awaiting Review deleted
- Resolution set to worksforme
- Status changed from new to closed
I just tried opening a site in the Customizer with FORCE_SSL_ADMIN
, and the preview is loaded properly. The Ajax request is using HTTPS as required.
@janreim: Your issue seems unrelated, as there is probably some theme screenshot on the Themes page that is referencing an HTTP URL; when you later accessed the Live Preview theme switch, the HTTPS security warning remained on the page because the Customizer actually gets loaded into an iframe at that point.
#8
@
10 years ago
- Milestone set to Future Release
- Resolution worksforme deleted
- Status changed from closed to reopened
As janreim noted, this is still an issue when previewing themes from the 'Add Themes' screen. Theme previews are served from http://wp-themes.com
which get blocked by the browser.
See #META344 for the meta ticket.
#9
@
10 years ago
If Theme-Previews were loaded from wordpress.org instead of wp-themes.com it should work, since wordpress.org is available over https. Or am I missing something?
We cannot run the previewer on the WordPress.org domain, for security reasons. It needs to stay on its own domain.
We need to get systems to fix the SSL certificate issues with that domain before we can correct the issue.
#10
@
10 years ago
The SSL certificate issues have been fixed. There's still a few more mixed-content fixes to be made there, but wp-themes.com can now be reached properly via https and has a proper certificate.
I can confirm this bug. I have 3.7 installed on an IIS server. I was thinking it might be getting re-written by my web.config but I checked and it is not.
It would seem that WordPress is re-writing the url to HTTPS when in the admin (a.k.a. customizer) but trying to load a page, like your homepage, that page will ONLY load over http. I'm not sure if it would be best to remove customizer from the force_ssl_admin list or fix the way WordPress loads content when it should be https.
Still have more digging to do on this issue.