Make WordPress Core

Opened 9 years ago

Closed 5 years ago

Last modified 5 years ago

#33547 closed defect (bug) (wontfix)

Smilies are served over http instead of https and create mixed content when logged in

Reported by: strzyga's profile Strzyga Owned by: johnbillion's profile johnbillion
Milestone: Priority: normal
Severity: normal Version:
Component: Posts, Post Types Keywords: needs-patch needs-unit-tests https bulk-reopened
Focuses: administration Cc:


When I'm logged in into admin panel and view my website, the smilies are served over http instead of https which causes that there is mixed content and no graphics are displayed on the website at all.

Attachments (1)

33547.diff (2.8 KB) - added by wonderboymusic 9 years ago.

Download all attachments as: .zip

Change History (11)

#1 @johnbillion
9 years ago

  • Component changed from General to Posts, Post Types
  • Focuses administration added
  • Keywords reporter-feedback added

Thanks for the report, Strzyga. Can you tell me a bit about your website configuration so we can try to reproduce the problem please?

  • Do you have https in both/either/neither of the "Site Address (URL)" or "WordPress Address (URL)" settings on the Settings screen?
  • Are you using the FORCE_SSL_ADMIN constant?
  • Does the problem persist if you deactivate all your plugins and switch to one of the default themes?

9 years ago

#2 @wonderboymusic
9 years ago

  • Keywords has-patch dev-feedback added
  • Milestone changed from Awaiting Review to 4.4

33547.diff supports a new scheme, none, to produce scheme-less URLs. Smilies could pass none to includes_url()

#3 @johnbillion
9 years ago

I proposed the same in #28632.

This looks like includes_url() is at fault. Is anything else that uses includes_url() from within the admin context affected?

#4 @dmchale
9 years ago

fwiw scheme-less url's were mentioned on slack the other day in an HTTP/2 discussion, and @tollmanz commented how they were an anti-pattern nowadays.

a few posts below, @eric posted a really good link discussing it

"Now that SSL is encouraged for everyone and doesn’t have performance concerns, this technique is now an anti-pattern. If the asset you need is available on SSL, then always use the https:// asset.

Allowing the snippet to request over HTTP opens the door for attacks like the recent Github Man-on-the-side attack. It’s always safe to request HTTPS assets even if your site is on HTTP, however the reverse is not true."

#5 @DrewAPicture
9 years ago

  • Keywords has-unit-tests added

33547.diff still applies and tests pass. Looks like we never got reporter feedback. @johnbillion what would you like to do here?

#6 @johnbillion
9 years ago

  • Keywords needs-patch needs-unit-tests added; reporter-feedback has-patch dev-feedback has-unit-tests removed
  • Milestone changed from 4.4 to Future Release
  • Owner set to johnbillion
  • Status changed from new to assigned
  • Version 4.3 deleted

Bumping. I don't think protocol-relative URLs are the answer here. includes_url() needs to be fixed so it's aware of context. I have some thoughts on fixing the $scheme parameter for all of our URL functions that I'll explore in 4.5.

#7 @johnbillion
9 years ago

  • Keywords https added

This ticket was mentioned in Slack in #core-http by johnbillion. View the logs.

8 years ago

This ticket was mentioned in Slack in #core-http by johnbillion. View the logs.

8 years ago

#12 @johnbillion
5 years ago

  • Keywords bulk-reopened added
  • Resolution set to wontfix
  • Status changed from assigned to closed

Closing due to lack of interest. Best practice these days dictates that sites should be served entirely over HTTPS, as opposed to HTTPS just for sensitive areas of the site, and running a site that uses a mixture has always caused problems. Switching entirely to HTTPS is the answer.

Note: See TracTickets for help on using tickets.