All cookies should be secure when `home` and `siteurl` use HTTPS

[johnbillion]

In the situation where a site is only served over SSL (ie. the home and siteurl options use the HTTPS scheme) then all cookies should have the secure flag set.

Currently the secure flag isn't set on the test cookie and the settings cookies in this situation.

Somewhat related: #28426.

[johnbillion]

Also applies to the comment_author and comment_author_email cookies.

[johnbillion]

28427.diff​ tackles this. Note that it relies on my patch for is_https() on #28487​.

The patch sets the 'secure' flag on...

• The test cookie if both home_url() and site_url() are https.
• The settings cookies if site_url() is https.
• The post password cookie if home_url() is https.
• The comment author cookies if the comment post permalink is https.

I'm in two minds about the comment author cookies. It could just check for https on home_url() rather than the current comment post permalink.

[johnbillion]

In 28895:

Conditionally set the the secure flag on the test cookie, post password cookie, settings cookies, and comment author cookies depending on whether the front end and/or admin area are served over https. Fixes #28427

[ocean90]

In 29311:

Replace is_https_url() with 'https' === parse_url( $url, PHP_URL_SCHEME ).

see #28427, #28487.