Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#29240 closed defect (bug) (worksforme)

Post preview button initiates over HTTP

Reported by: filco Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.9.2
Component: Security Keywords: reporter-feedback
Focuses: Cc:


Despite an HTTPS website forcing encrypted traffic via HSTS, clicking the preview button in a post initiates an HTTP session when opening a new window for that session. This can be reproduced by installing a browser plugin that blocks non-HTTPS traffic.

Change History (2)

#1 @johnbillion
6 years ago

  • Keywords reporter-feedback added; HTTP HTTPS removed

Thanks for the report filco. I'm unable to reproduce the problem as reported.

If you have HSTS enabled for the domain and your browser is still allowing HTTP connections to the domain, then something is misconfigured with your browser or with your HSTS header. What happens if you manually navigate to the HTTP URL for your site?

What's the scheme of the "Site Address" on your site's General Settings screen? Is it https? If not, it is expected behaviour that you will be redirected to an HTTP URL for the preview. When you hit the "Preview" button, the actual save action will be sent over the same protocol as your admin area (I'm assuming HTTPS in your case). You'll then be redirected to the post preview, which will be sent over HTTP if that's what you've got set in your "Site Address".

#2 @chriscct7
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

Lack of reporter feedback, and unable to reproduce the issue as well.

Note: See TracTickets for help on using tickets.