WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 2 months ago

#27954 reopened task (blessed)

Add FORCE_SSL option to enable HTTPS everywhere on the site

Reported by: bryanquigley Owned by: johnbillion
Milestone: Future Release Priority: normal
Severity: normal Version: 4.0
Component: Security Keywords: https has-patch needs-testing has-unit-tests
Focuses: Cc:

Description

We have the option to FORCE_SSL_ADMIN and FORCE_SSL_LOGINs, but not to FORCE_SSL for everyone everywhere.

Aside: It appears wordpress.com force's SSL everywhere

Attachments (3)

27954.diff (1.4 KB) - added by thomaswm 2 years ago.
Redirect frontend to HTTPS if FORCE_SSL constant is set to true
27954.2.diff (2.2 KB) - added by thomaswm 2 years ago.
Unit tests
27954.3.diff (2.2 KB) - added by thomaswm 2 years ago.
Corrected typo in unit tests

Download all attachments as: .zip

Change History (34)

#1 @johnbillion
4 years ago

I like the sound of this. Count me in.

#2 @mordauk
4 years ago

I'm all for this as well.

#3 @nacin
4 years ago

I've looked at this before. I see two ways forward:

  • There is a force_ssl_content() function in multisite that isn't actually used and could be repurposed for this.
  • We could simply detect if the home URL and site URL use the https protocol, and if so, force it for everything (including login and admin). It could be handled for the frontend inside canonical pretty easily, though to properly support this long-term we'll want to start to leverage HSTS.

#4 follow-up: @mordauk
4 years ago

Seems detecting if home or site URL use HTTPS would work fine.

#5 in reply to: ↑ 4 ; follow-up: @Denis-de-Bernardy
4 years ago

Replying to mordauk:

Seems detecting if home or site URL use HTTPS would work fine.

Yep. Seems a bit overkill to add a define when changing the two URLs force SSL site-wide already.

#6 in reply to: ↑ 5 @bryanquigley
4 years ago

Replying to Denis-de-Bernardy:

Yep. Seems a bit overkill to add a define when changing the two URLs force SSL site-wide already.

I tried changing both WordPress Address (URL) and Site Address (URL) to https first actually. That does make more sense to me then adding "FORCE_SSL"...

#7 @nacin
4 years ago

  • Component changed from General to Security
  • Milestone changed from Awaiting Review to 4.0
  • Type changed from feature request to task (blessed)

#8 @nacin
4 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 28610:

Force SSL on the frontend via canonical when the home URL uses the https scheme.

fixes #27954.

#9 @johnbillion
4 years ago

  • Keywords needs-unit-tests added
  • Resolution fixed deleted
  • Status changed from closed to reopened

I've got some unit tests to go onto this.

#10 @johnbillion
4 years ago

  • Owner changed from nacin to johnbillion
  • Status changed from reopened to accepted

#11 @nacin
4 years ago

In 28674:

Force SSL admin when siteurl is explicitly configured with HTTPS.

see #27954.

#12 @johnbillion
4 years ago

I think you meant to reference #28426

#13 @johnbillion
4 years ago

In 28704:

Add some basic unit tests for HTTPS canonical redirects. See #27954.

#14 @johnbillion
4 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

#16 follow-up: @Just a guy
4 years ago

Awesome work! Is there a check to prevent forcing HTTPS on the frontend of network subsite using a mapped domain since a wildcard cert only covers the primary site frontend (domain.com) and *.domain admin areas?)

#17 @jorbin
4 years ago

As r30090 reverted the fix for this, we either need to re-open this ticket and/or remove the now failing unit tests that were added in r28704

#18 @boonebgorges
4 years ago

  • Keywords needs-patch added
  • Milestone changed from 4.0 to Future Release

wonderboymusic reverted the test in [30160]. This ticket should be reopened, as it has some cascading consequences. See eg https://core.trac.wordpress.org/ticket/15928#comment:81.

#19 @SergeyBiryukov
3 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

#20 in reply to: ↑ 16 @seoactivist
3 years ago

Replying to Just a guy:

Awesome work! Is there a check to prevent forcing HTTPS on the frontend of network subsite using a mapped domain since a wildcard cert only covers the primary site frontend (domain.com) and *.domain admin areas?)

Just a note: I run a multisite site network with a validated Wildcard securing login/admin at original network addresses, however I am using CloudFlare to provide SSL for my mapped domains (alternatively, one could be using SNI & single certs)...so, this exists and should be allowed :)

#21 @wonderboymusic
3 years ago

  • Milestone changed from Future Release to 4.4

This ticket was mentioned in Slack in #core by sergey. View the logs.


3 years ago

#23 @johnbillion
3 years ago

  • Milestone changed from 4.4 to Future Release

Going to look at this as part of more comprehensive HTTPS work.

#24 @johnbillion
2 years ago

  • Keywords https added

@thomaswm
2 years ago

Redirect frontend to HTTPS if FORCE_SSL constant is set to true

#25 @thomaswm
2 years ago

  • Keywords has-patch needs-testing added; needs-patch removed

27954.diff uses canonical redirects to redirect requests on the frontend to HTTPS if the FORCE_SSL constant is set to true.

#26 @dd32
2 years ago

#35735 was marked as a duplicate.

@thomaswm
2 years ago

Unit tests

#27 @thomaswm
2 years ago

  • Keywords has-unit-tests added; needs-unit-tests removed

27954.3.diff adds unit tests which ensure that redirect_canonical() always redirects to HTTPS if FORCE_SSL is set to true.

Last edited 2 years ago by thomaswm (previous) (diff)

@thomaswm
2 years ago

Corrected typo in unit tests

This ticket was mentioned in Slack in #core-http by johnbillion. View the logs.


20 months ago

This ticket was mentioned in Slack in #core by benoitchantre. View the logs.


8 months ago

#30 follow-up: @westonruter
3 months ago

There's this ticket and there is #28521. Should this be closed and the current status moved over to #28521?

#31 in reply to: ↑ 30 @thomaswm
2 months ago

Replying to westonruter:

There's this ticket and there is #28521. Should this be closed and the current status moved over to #28521?

Yes, probably.

This ticket focuses on the HTTP redirect to the HTTPS URL, whereas #28521 is about rewriting local URLs in the HTML sourcecode to HTTPS. But these two things really go together and I'm not sure if it makes sense to have two separate tickets for them.

Note: See TracTickets for help on using tickets.