WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 3 months ago

#27954 reopened task (blessed)

Add FORCE_SSL option to enable HTTPS everywhere on the site

Reported by: bryanquigley Owned by: johnbillion
Milestone: Future Release Priority: normal
Severity: normal Version: 4.0
Component: Security Keywords: https has-patch needs-testing has-unit-tests
Focuses: Cc:

Description

We have the option to FORCE_SSL_ADMIN and FORCE_SSL_LOGINs, but not to FORCE_SSL for everyone everywhere.

Aside: It appears wordpress.com force's SSL everywhere

Attachments (3)

27954.diff (1.4 KB) - added by thomaswm 23 months ago.
Redirect frontend to HTTPS if FORCE_SSL constant is set to true
27954.2.diff (2.2 KB) - added by thomaswm 19 months ago.
Unit tests
27954.3.diff (2.2 KB) - added by thomaswm 19 months ago.
Corrected typo in unit tests

Download all attachments as: .zip

Change History (32)

#1 @johnbillion
4 years ago

I like the sound of this. Count me in.

#2 @mordauk
4 years ago

I'm all for this as well.

#3 @nacin
4 years ago

I've looked at this before. I see two ways forward:

  • There is a force_ssl_content() function in multisite that isn't actually used and could be repurposed for this.
  • We could simply detect if the home URL and site URL use the https protocol, and if so, force it for everything (including login and admin). It could be handled for the frontend inside canonical pretty easily, though to properly support this long-term we'll want to start to leverage HSTS.

#4 follow-up: @mordauk
4 years ago

Seems detecting if home or site URL use HTTPS would work fine.

#5 in reply to: ↑ 4 ; follow-up: @Denis-de-Bernardy
4 years ago

Replying to mordauk:

Seems detecting if home or site URL use HTTPS would work fine.

Yep. Seems a bit overkill to add a define when changing the two URLs force SSL site-wide already.

#6 in reply to: ↑ 5 @bryanquigley
4 years ago

Replying to Denis-de-Bernardy:

Yep. Seems a bit overkill to add a define when changing the two URLs force SSL site-wide already.

I tried changing both WordPress Address (URL) and Site Address (URL) to https first actually. That does make more sense to me then adding "FORCE_SSL"...

#7 @nacin
4 years ago

  • Component changed from General to Security
  • Milestone changed from Awaiting Review to 4.0
  • Type changed from feature request to task (blessed)

#8 @nacin
4 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 28610:

Force SSL on the frontend via canonical when the home URL uses the https scheme.

fixes #27954.

#9 @johnbillion
4 years ago

  • Keywords needs-unit-tests added
  • Resolution fixed deleted
  • Status changed from closed to reopened

I've got some unit tests to go onto this.

#10 @johnbillion
4 years ago

  • Owner changed from nacin to johnbillion
  • Status changed from reopened to accepted

#11 @nacin
4 years ago

In 28674:

Force SSL admin when siteurl is explicitly configured with HTTPS.

see #27954.

#12 @johnbillion
4 years ago

I think you meant to reference #28426

#13 @johnbillion
4 years ago

In 28704:

Add some basic unit tests for HTTPS canonical redirects. See #27954.

#14 @johnbillion
4 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

#16 follow-up: @Just a guy
3 years ago

Awesome work! Is there a check to prevent forcing HTTPS on the frontend of network subsite using a mapped domain since a wildcard cert only covers the primary site frontend (domain.com) and *.domain admin areas?)

#17 @jorbin
3 years ago

As r30090 reverted the fix for this, we either need to re-open this ticket and/or remove the now failing unit tests that were added in r28704

#18 @boonebgorges
3 years ago

  • Keywords needs-patch added
  • Milestone changed from 4.0 to Future Release

wonderboymusic reverted the test in [30160]. This ticket should be reopened, as it has some cascading consequences. See eg https://core.trac.wordpress.org/ticket/15928#comment:81.

#19 @SergeyBiryukov
3 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

#20 in reply to: ↑ 16 @seoactivist
3 years ago

Replying to Just a guy:

Awesome work! Is there a check to prevent forcing HTTPS on the frontend of network subsite using a mapped domain since a wildcard cert only covers the primary site frontend (domain.com) and *.domain admin areas?)

Just a note: I run a multisite site network with a validated Wildcard securing login/admin at original network addresses, however I am using CloudFlare to provide SSL for my mapped domains (alternatively, one could be using SNI & single certs)...so, this exists and should be allowed :)

#21 @wonderboymusic
2 years ago

  • Milestone changed from Future Release to 4.4

This ticket was mentioned in Slack in #core by sergey. View the logs.


2 years ago

#23 @johnbillion
2 years ago

  • Milestone changed from 4.4 to Future Release

Going to look at this as part of more comprehensive HTTPS work.

#24 @johnbillion
2 years ago

  • Keywords https added

@thomaswm
23 months ago

Redirect frontend to HTTPS if FORCE_SSL constant is set to true

#25 @thomaswm
23 months ago

  • Keywords has-patch needs-testing added; needs-patch removed

27954.diff uses canonical redirects to redirect requests on the frontend to HTTPS if the FORCE_SSL constant is set to true.

#26 @dd32
22 months ago

#35735 was marked as a duplicate.

@thomaswm
19 months ago

Unit tests

#27 @thomaswm
19 months ago

  • Keywords has-unit-tests added; needs-unit-tests removed

27954.3.diff adds unit tests which ensure that redirect_canonical() always redirects to HTTPS if FORCE_SSL is set to true.

Last edited 19 months ago by thomaswm (previous) (diff)

@thomaswm
19 months ago

Corrected typo in unit tests

This ticket was mentioned in Slack in #core-http by johnbillion. View the logs.


14 months ago

This ticket was mentioned in Slack in #core by benoitchantre. View the logs.


3 months ago

Note: See TracTickets for help on using tickets.