Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#34299 closed enhancement (fixed)

Force the REST API endpoint to HTTPS when appropriate

Reported by: johnbillion's profile johnbillion Owned by: johnbillion's profile johnbillion
Milestone: 4.4 Priority: normal
Severity: normal Version: 4.4
Component: REST API Keywords: has-patch has-unit-tests
Focuses: Cc:

Description

Given a site which runs over http but the admin area runs over https (for example via FORCE_SSL_ADMIN), the REST API endpoint will point to an http URL in the admin area. This makes the endpoint inaccessible to clients due to cross-protocol restrictions.

An example of where this is visible is the REST API Console plugin.

If the host name of the REST API endpoint matches the host name of the current request, then the REST API endpoint URL can be forced to https.

Previous discussion:

Attachments (1)

34299.diff (623 bytes) - added by johnbillion 10 years ago.

Download all attachments as: .zip

Change History (10)

@johnbillion
10 years ago

#1 @johnbillion
10 years ago

  • Keywords has-patch needs-unit-tests added
  • Milestone changed from Awaiting Review to 4.4

#3 @wonderboymusic
10 years ago

  • Owner set to johnbillion
  • Status changed from new to assigned

#4 @johnbillion
10 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 35342:

Force the REST API URL to use https for its scheme when the current request is served over HTTPS and the host name matches that of the REST API URL.

This allows sites to use an admin area over HTTPS with the front end over HTTP, and not end up with a cross-protocol problem when using the REST API URL in the admin area.

Fixes #34299

#5 @johnbillion
10 years ago

In 35344:

Remove the failing test_rest_url_scheme() test while it's investigated.

See #34299

#6 @johnbillion
10 years ago

  • Keywords has-unit-tests added; needs-unit-tests removed
  • Resolution fixed deleted
  • Status changed from closed to reopened

#7 @johnbillion
10 years ago

In 35349:

Revert [34352], pending investigation.

See #34299

#8 @johnbillion
10 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 35351:

Force the REST API URL to use https for its scheme when the current request is served over HTTPS and the host name matches that of the REST API URL.

This allows sites to use an admin area over HTTPS with the front end over HTTP, and not end up with a cross-protocol problem when using the REST API URL in the admin area.

Fixes #34299

This ticket was mentioned in Slack in #core by johnbillion. View the logs.


10 years ago

Note: See TracTickets for help on using tickets.