Make WordPress Core

Opened 5 months ago

Last modified 5 months ago

#51438 new enhancement

Use CSP directive upgrade-insecure-requests when using HTTPS

Reported by: flixos90 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords: needs-patch needs-unit-tests
Focuses: Cc:


While looking at ways on how to streamline HTTPS support in WordPress core, one suggestion has been to include a `Content-Security-Policy` directive of `upgrade-insecure-requests` for sites using HTTPS. This directive would ensure that browsers automatically replace (old) insecure requests for inline content (e.g. images) to use HTTPS (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests).

This could be as simple as injecting <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> into wp_head for sites that use HTTPS (see wp_is_using_https() from #47577). Alternatively, since this is mostly beneficial for sites that may still ("accidentally") have insecure URLs in their content after migrating from HTTP to HTTPS, it might make sense to rely on wp_should_update_insecure_urls() from #51437 instead.

Change History (1)

#1 @ayeshrajans
5 months ago

Given that multiple CSP headers/meta tags will only further restrict the effective policy, I think this will be a change that would not overwrite if there is a CSP header sent at the web server level.

Note: See TracTickets for help on using tickets.