WordPress.org
Get WordPress

Make WordPress Core

Opened 4 years ago

Closed 3 months ago

#48407 closed enhancement (wontfix)

Change link to api.wordpress.org to HTTPS

Reported by: lenasterg's profile lenasterg Owned by:
Milestone: Priority: normal
Severity: trivial Version: 5.3
Component: Administration Keywords: 2nd-opinion close
Focuses: administration Cc:

Description

Hi there.

A minor change, for using HTTPS protocol in:

https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/dashboard.php#L1648

The:

$url     = 'http://api.wordpress.org/core/browse-happy/1.1/';

should change to 

$url     = 'https://api.wordpress.org/core/browse-happy/1.1/';

Bests,
Lena

Change History (4)

#1 @sebastienserre
4 years ago

  • Focuses administration added
  • Keywords 2nd-opinion added

Hello @lenasterg
I think it's OK as the complete part of code is:

<?php
                $url     = 'http://api.wordpress.org/core/browse-happy/1.1/';
                $options = array(
                        'body'       => array( 'useragent' => $_SERVER['HTTP_USER_AGENT'] ),
                        'user-agent' => 'WordPress/' . $wp_version . '; ' . home_url( '/' ),
                );

                if ( wp_http_supports( array( 'ssl' ) ) ) {
                        $url = set_url_scheme( $url, 'https' );
                }

If I've well understood, $url = set_url_scheme( $url, 'https' ); should return https if needed.

#2 follow-up: @lenasterg
4 years ago

Hi @sebastienserre.
You are right on that, I needed to add to the ticket, that the lines 1654-1656 are useless and need to go.
As I see it, they add extra load since the specific API (as all from WordPress.org) is given in HTTPS.

But maybe, I'm wrong on that and the wp_remote_post() function in https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/dashboard.php#L1658, needs the $url in the same protocol (http or https) as the current site.

#3 in reply to: ↑ 2 @SergeyBiryukov
4 years ago

  • Keywords close added

Replying to lenasterg:

You are right on that, I needed to add to the ticket, that the lines 1654-1656 are useless and need to go.
As I see it, they add extra load since the specific API (as all from WordPress.org) is given in HTTPS.

As far as I can see, the wp_http_supports( array( 'ssl' ) ) check introduced in [41605] is not useless, as not all sites support HTTPS requests due to outdated cURL, OpenSSL, or other configuration issues. See some examples in #25716, #25738, #26010.

#42004 standardized all requests to api.wordpress.org on using the wp_http_supports( array( 'ssl' ) ) check, so changing this one instance would be inconsistent.

#4 @hellofromTonya
3 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Hello @lenasterg,

Following up on this ticket as it's been over 3 years since close was added.

Looking at the request today, I agree with @SergeyBiryukov's assessment. The code design is intentional (see #42004).

I'll close this ticket. Please feel free to reopen if there is more to consider.

And thank you for opening the ticket for consideration.

Note: See TracTickets for help on using tickets.