#32552 closed enhancement (fixed)
Use HTTPS for Google API external libraries
Reported by: | netweb | Owned by: | rommelxcastro |
---|---|---|---|
Milestone: | 4.3 | Priority: | normal |
Severity: | normal | Version: | |
Component: | External Libraries | Keywords: | good-first-bug has-patch |
Focuses: | Cc: |
Description
Via https://developers.google.com/speed/libraries/?csw=1#libraries
"We recommend that you load libraries from the CDN via HTTPS, even if your own website only uses HTTP. Nowadays, performance is fast, and caching works just the same. The CDN's files are served with CORS and Timing-Allow headers and allowed to be cached for 1 year."
Attachments (1)
Change History (15)
This ticket was mentioned in Slack in #meta by netweb. View the logs.
9 years ago
#3
@
9 years ago
- Milestone changed from Awaiting Review to 4.3
Thanks for the patch WordCamp Orange County :)
#5
follow-up:
↓ 6
@
9 years ago
The current patch 32552.diff
includes Google Fonts i.e. https://fonts.googleapis.com
, in the original linked reference the only documented libraries are for the JavaScript libraries: https://developers.google.com/speed/libraries/?csw=1#libraries
Should we only do the JavaScript libraries for now until Google officially documents the same for Fonts?
Just to note that loading Google fonts via HTTPS works just fine, just wanted to raise the point for discussion
#6
in reply to:
↑ 5
@
9 years ago
Replying to netweb:
Should we only do the JavaScript libraries for now until Google officially documents the same for Fonts?
The recommendation by Google is to avoid man-on-the-side attacks, fonts are susceptible so given it works then I think they can be actioned now. The font servers include the relevant headers.
#9
follow-up:
↓ 10
@
9 years ago
- Keywords needs-patch dev-feedback added; has-patch removed
- Resolution fixed deleted
- Severity changed from normal to critical
- Status changed from closed to reopened
- Type changed from enhancement to defect (bug)
- Is inappropriate change
- Has security implications
As per comment on GitHub: https://github.com/WordPress/WordPress/commit/81df9bffc5ffdda9cd7c16dadef21b574f9ee922#commitcomment-11859945 (most recent code change that is relevant to the issue described)
Please make a change and do not load libraries from external sources. This centralizes the failure point and enables the external provider to track all visitors, or worse, inject code in a targeted manner via referrer, domain, IP and public cookie matching. Please include these resources locally with the wordpress installation and make using the local copy the default. In case you'd like to provide users with the option to use a CDN, please do it in a manner which allows and encourages those managing multiple wordpress installations to 1. use their own, 2. verify the script loaded is the right one (lazy load it with JavaScript and verify a checksum) and 3. avoid leaking user's browser behavior to third parties.
#10
in reply to:
↑ 9
@
9 years ago
- Keywords has-patch added; needs-patch dev-feedback removed
- Severity changed from critical to normal
- Type changed from defect (bug) to enhancement
Hello dorianmuthig, I have no idea how your concerns are related to the change to switch existing libraries to HTTPS. Please do not hijack tickets like this. There are already some tickets related to your concerns like #31801 or #26072, so feel free to comment on these ones.
Closing this one as fixed again since the original enhancement has been done.
#13
in reply to:
↑ 12
@
9 years ago
Replying to dorianmuthig:
I was told to. See comments on GitHub.
Indeed you were directed here as this was the source of that change you commented on at GitHub, though as Dominik pointed out above the issue you have is not related to this issue and is related more to the tickets he linked, hopefully we have steered you to the best place where your feedback will be welcomed :)
#14
@
9 years ago
I commented on that change on GitHub, because not only is it the latest relevant change, but the most complete collection of changes which relate to the issue I described. As such, it is the most appropriate place to make the issue known. It also means, that the change, which was made as a result of this very enhancement request was a very inappropriate thing and should instead have resulted in further consideration for the original intention of bundling said external resources instead. It cannot be that time is wasted on such an "enhancement", but no effort is made towards bundling or not using the external resources (applicable to fonts) at all, if that was what was intended and should've been done over a year ago.
As such, my commenting on and "hijacking" this "enhancement" request wasn't actually out of place at all, all things considered.
Making a WordPress installation or upgrade package download 6MB larger is hardly an issue anymore, today.
hey guys, here's a patch from WCOC contributors