#33547 closed defect (bug) (wontfix)
Smilies are served over http instead of https and create mixed content when logged in
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | Posts, Post Types | Keywords: | needs-patch needs-unit-tests https bulk-reopened |
| Focuses: | administration | Cc: |
Description
When I'm logged in into admin panel and view my website, the smilies are served over http instead of https which causes that there is mixed content and no graphics are displayed on the website at all.
Attachments (1)
Change History (11)
#1
@
9 years ago
- Component changed from General to Posts, Post Types
- Focuses administration added
- Keywords reporter-feedback added
#2
@
9 years ago
- Keywords has-patch dev-feedback added
- Milestone changed from Awaiting Review to 4.4
33547.diff supports a new scheme, none, to produce scheme-less URLs. Smilies could pass none to includes_url()
#3
@
9 years ago
I proposed the same in #28632.
This looks like includes_url() is at fault. Is anything else that uses includes_url() from within the admin context affected?
#4
@
9 years ago
fwiw scheme-less url's were mentioned on slack the other day in an HTTP/2 discussion, and @tollmanz commented how they were an anti-pattern nowadays. https://wordpress.slack.com/archives/core/p1441918729000823
a few posts below, @eric posted a really good link discussing it http://www.paulirish.com/2010/the-protocol-relative-url/
"Now that SSL is encouraged for everyone and doesn’t have performance concerns, this technique is now an anti-pattern. If the asset you need is available on SSL, then always use the https:// asset.
Allowing the snippet to request over HTTP opens the door for attacks like the recent Github Man-on-the-side attack. It’s always safe to request HTTPS assets even if your site is on HTTP, however the reverse is not true."
#5
@
9 years ago
- Keywords has-unit-tests added
33547.diff still applies and tests pass. Looks like we never got reporter feedback. @johnbillion what would you like to do here?
#6
@
9 years ago
- Keywords needs-patch needs-unit-tests added; reporter-feedback has-patch dev-feedback has-unit-tests removed
- Milestone changed from 4.4 to Future Release
- Owner set to johnbillion
- Status changed from new to assigned
- Version 4.3 deleted
Bumping. I don't think protocol-relative URLs are the answer here. includes_url() needs to be fixed so it's aware of context. I have some thoughts on fixing the $scheme parameter for all of our URL functions that I'll explore in 4.5.
This ticket was mentioned in Slack in #core-http by johnbillion. View the logs.
8 years ago
This ticket was mentioned in Slack in #core-http by johnbillion. View the logs.
8 years ago
#12
@
6 years ago
- Keywords bulk-reopened added
- Resolution set to wontfix
- Status changed from assigned to closed
Closing due to lack of interest. Best practice these days dictates that sites should be served entirely over HTTPS, as opposed to HTTPS just for sensitive areas of the site, and running a site that uses a mixture has always caused problems. Switching entirely to HTTPS is the answer.
Thanks for the report, Strzyga. Can you tell me a bit about your website configuration so we can try to reproduce the problem please?
httpsin both/either/neither of the "Site Address (URL)" or "WordPress Address (URL)" settings on the Settings screen?FORCE_SSL_ADMINconstant?