WordPress.org

Make WordPress Core

Opened 7 months ago

Last modified 4 weeks ago

#49515 new feature request

SSL requirement during installation with SQL command through admin if mixed content

Reported by: bjornenio Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Upgrade/Install Keywords: needs-patch dev-feedback
Focuses: ui, administration Cc:

Description

Would it not be a good idea to highlight / warn the user if they try to use http instead of https?

Furthermore, it would be very beneficial if wp admin offered a solution in terms of a SQL command for fixing mixed content if SSL is added after the fact.

This might already be in the pipeline?

Change History (4)

#1 @SergeyBiryukov
7 months ago

  • Component changed from Build/Test Tools to Upgrade/Install

#2 @zodiac1978
6 weeks ago

  • Keywords needs-patch dev-feedback added

Would it not be a good idea to highlight / warn the user if they try to use http instead of https?

I think this is a good idea! We couldn't use is_ssl on the install page, because the option is not written at this moment, so I looked for available solutions to look if the page is available through https and find this:

<?php
$isSecure = false;
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') {
    $isSecure = true;
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' || !empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') {
    $isSecure = true;
}
$REQUEST_PROTOCOL = $isSecure ? 'https' : 'http';

Source: https://stackoverflow.com/a/16076965

It is checking if the variable is activated stating https support or in case of a load balancer and similar staff (reverse proxy, etc.) it checks different variables for those.

If this would be added to the install page we could either redirect to the https version or display a warning, stating that https is vailable too.

Furthermore, it would be very beneficial if wp admin offered a solution in terms of a SQL command for fixing mixed content if SSL is added after the fact.

This looks like plugin territory for me. And there are already many plugins for that already available:
https://wordpress.org/plugins/search/ssl+mixed+content/

#3 follow-up: @WiZZarD_
5 weeks ago

This seems like a good idea to me. However, the check using

$_SERVER['HTTPS']

wouldn't be optimal. As stated in https://www.php.net/manual/en/reserved.variables.server.php this is set to a non-empty value if the script was queried through the HTTPS protocol. Ideally, you'd want to check for the capability of a secured connection, not if the user is already using it.

My approach would be to test the given site-url for SSL capabilities, by using something like fsockopen(). If the url can be accessed through a secure connection ask the user if it wants to use that instead. If it's not possible, just proceed with the install.

#4 in reply to: ↑ 3 @zodiac1978
4 weeks ago

Replying to WiZZarD_:

Ideally, you'd want to check for the capability of a secured connection, not if the user is already using it.

My first minimal approach was to check if https is used and if not display a warning. Additionally I was wrong and we could in fact use is_ssl but without the load balancer fix. See: https://developer.wordpress.org/reference/functions/is_ssl/

My approach would be to test the given site-url for SSL capabilities, by using something like fsockopen(). If the url can be accessed through a secure connection ask the user if it wants to use that instead. If it's not possible, just proceed with the install.

That would be a better approach. Not just detect the missing https, but detecting a possible https connection and offer a redirect to the https version.

But what about people who forgot to install the SSL certificate (or there is something wrong with it)? I think we should warn if there is no https used in every case and offer a direct link to https if it is already available.

The first one is easy as we could just use is_ssl().

I was not successful in detecting a possible https connection. Maybe someone can chime in with a code snippet.

Note: See TracTickets for help on using tickets.