WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#34299 closed enhancement (fixed)

Force the REST API endpoint to HTTPS when appropriate

Reported by: johnbillion Owned by: johnbillion
Milestone: 4.4 Priority: normal
Severity: normal Version: 4.4
Component: REST API Keywords: has-patch has-unit-tests
Focuses: Cc:

Description

Given a site which runs over http but the admin area runs over https (for example via FORCE_SSL_ADMIN), the REST API endpoint will point to an http URL in the admin area. This makes the endpoint inaccessible to clients due to cross-protocol restrictions.

An example of where this is visible is the REST API Console plugin.

If the host name of the REST API endpoint matches the host name of the current request, then the REST API endpoint URL can be forced to https.

Previous discussion:

Attachments (1)

34299.diff (623 bytes) - added by johnbillion 3 years ago.

Download all attachments as: .zip

Change History (10)

@johnbillion
3 years ago

#1 @johnbillion
3 years ago

  • Keywords has-patch needs-unit-tests added
  • Milestone changed from Awaiting Review to 4.4

#3 @wonderboymusic
3 years ago

  • Owner set to johnbillion
  • Status changed from new to assigned

#4 @johnbillion
3 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 35342:

Force the REST API URL to use https for its scheme when the current request is served over HTTPS and the host name matches that of the REST API URL.

This allows sites to use an admin area over HTTPS with the front end over HTTP, and not end up with a cross-protocol problem when using the REST API URL in the admin area.

Fixes #34299

#5 @johnbillion
3 years ago

In 35344:

Remove the failing test_rest_url_scheme() test while it's investigated.

See #34299

#6 @johnbillion
3 years ago

  • Keywords has-unit-tests added; needs-unit-tests removed
  • Resolution fixed deleted
  • Status changed from closed to reopened

#7 @johnbillion
3 years ago

In 35349:

Revert [34352], pending investigation.

See #34299

#8 @johnbillion
3 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 35351:

Force the REST API URL to use https for its scheme when the current request is served over HTTPS and the host name matches that of the REST API URL.

This allows sites to use an admin area over HTTPS with the front end over HTTP, and not end up with a cross-protocol problem when using the REST API URL in the admin area.

Fixes #34299

This ticket was mentioned in Slack in #core by johnbillion. View the logs.


3 years ago

Note: See TracTickets for help on using tickets.