WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 20 months ago

Last modified 12 months ago

#40416 closed enhancement (fixed)

Use HTTPS in wp_dashboard_primary()

Reported by: iandunn Owned by: SergeyBiryukov
Milestone: 5.1 Priority: normal
Severity: minor Version:
Component: Administration Keywords: has-patch
Focuses: Cc:
PR Number:

Description

The feed URLs for news and popular plugins are still using HTTP.

From #27115, it sounds like they initially weren't converted to HTTPS because some servers don't support outgoing SSL connections, and at the time w.org did not redirect HTTP -> HTTPS.

Both of those URLs 301 redirect to HTTPS URLs now, so I can't think of any reason to leave them as HTTP. The URL for the Planet feed was set to HTTPS in r29787, even though Planet doesn't redirect to HTTPS yet, so that seems like further precedent to update this.

The popular plugins URL was redirecting 3 times until it finally got to the new URL in the patch, so this should be a bit faster too.

The popular plugins aren't currently shown with the old or new URLs, because of meta:#2723. It seems like it might be fine to continue with the change to HTTPS, though, since it's broken anyway, and it should start working once the Meta ticket is fixed.

Attachments (1)

40416.diff (954 bytes) - added by iandunn 3 years ago.

Download all attachments as: .zip

Change History (10)

@iandunn
3 years ago

#1 @iandunn
3 years ago

  • Keywords has-patch added
  • Severity changed from normal to minor

#2 @iandunn
3 years ago

Previously: #34685, but it seems like circumstances have changed since then.

#3 @iandunn
3 years ago

The popular plugins aren't currently shown with the old or new URLs, because of meta:#2723

That's fixed now, and 40416.diff looks good with the valid feed.

#4 @dd32
3 years ago

Ideally these would still be accessible over HTTP, but I don't see that as a major issue anymore. I see no real harm in moving these to HTTPS.

I've asked systems if it's possible to determine how much HTTP vs HTTPS traffic api.wordpress.org gets to try to determine if we still need to keep systems in mind which can't communicate over HTTPS (Those are those without OpenSSL or with cURL and a broken SSL transport compiled in).

#5 @SergeyBiryukov
20 months ago

#43396 was marked as a duplicate.

#6 @SergeyBiryukov
20 months ago

  • Milestone changed from Awaiting Review to 5.0

#7 @SergeyBiryukov
20 months ago

The popular plugins feed was removed in [40607], so it's just the WordPress News feed now.

#8 @SergeyBiryukov
20 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 42731:

Administration: Use HTTPS for dashboard_primary_feed URL.

dashboard_secondary_feed is already using HTTPS since [29787].

Props iandunn.
Fixes #40416.

#9 @pento
12 months ago

  • Milestone changed from 5.0 to 5.1
Note: See TracTickets for help on using tickets.