WordPress.org

Make WordPress Core

Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#52421 closed defect (bug) (fixed)

Remove admin and login exceptions for https in home_url

Reported by: herregroen Owned by: SergeyBiryukov
Milestone: 5.7 Priority: normal
Severity: normal Version:
Component: General Keywords: has-patch
Focuses: Cc:

Description

Right now the home_url function will automatically switch to https if the current request is already https but will do so only on the front-end.

This was likely created in a time when running the admin with a self-signed certificate with the rest of the site running http was a common use-case.

Today is a very different situation thanks to initiatives like let's encrypt and many hosts providing certificates automatically or with little effort from site owners.

These exceptions may result in users being changed from https to http when navigating from within their admin. In addition it leads to inconsistent behavior of home_url where it will generate different values in the admin and on the frontend.

Attachments (1)

remote-home-url-https-exceptions.patch (540 bytes) - added by herregroen 3 months ago.

Download all attachments as: .zip

Change History (12)

#1 @SergeyBiryukov
3 months ago

  • Milestone changed from Awaiting Review to 5.7
  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#2 @mukesh27
3 months ago

  • Keywords has-patch needs-refresh added

Hi there!

If we implement remote-home-url-https-exceptions.patch then we should remove global $pagenow; and there document from the function.

#3 @SergeyBiryukov
3 months ago

Thanks for the patch! It looks like there are some failing tests with this change that need updating:

1) Tests_REST_API::test_rest_url_scheme
Failed asserting that two strings are identical.
--- Expected
+++ Actual
@@ @@
-'http'
+'https'

S:\home\wordpress.test\develop\tests\phpunit\tests\rest-api.php:792

2) Tests_URL::test_home_url_from_admin
Failed asserting that two strings are identical.
--- Expected
+++ Actual
@@ @@
-'http://example.org'
+'https://example.org'

S:\home\wordpress.test\develop\tests\phpunit\tests\url.php:210

3) Tests_URL::test_network_home_url_from_admin
Failed asserting that two strings are identical.
--- Expected
+++ Actual
@@ @@
-'http://example.org'
+'https://example.org'

S:\home\wordpress.test\develop\tests\phpunit\tests\url.php:259

Working on that now.

Last edited 3 months ago by SergeyBiryukov (previous) (diff)

#4 @SergeyBiryukov
3 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 50156:

General: Remove admin and login exceptions for https in get_home_url().

Previously, get_home_url() would automatically switch to https if the current request is already https, but would only do so on the front end.

This addresses the inconsistent behavior of returning different values in the admin and on the frontend.

Follow-up to [12598], [21937], [24844].

Props herregroen, mukesh27.
Fixes #52421.

#5 @SergeyBiryukov
3 months ago

  • Keywords needs-refresh removed
  • Resolution fixed deleted
  • Status changed from closed to reopened

This has introduced two other failures:

1) Tests_WP_Resource_Hints::test_dns_prefetch_scripts_does_not_included_registered_only
Undefined index: pagenow

/var/www/build/wp-includes/functions.wp-scripts.php:272
/var/www/tests/phpunit/tests/general/resourceHints.php:192

2) Tests_WP_Resource_Hints::test_deregistered_scripts_are_ignored
Undefined index: pagenow

/var/www/build/wp-includes/functions.wp-scripts.php:272
/var/www/tests/phpunit/tests/general/resourceHints.php:205

Restoring the $pagenow global appears to fix them. It's not quite clear why that happens, as the global is no longer used in the function, but let's address the failures for now and investigate later.

#6 @SergeyBiryukov
3 months ago

In 50164:

General: Restore the $pagenow global in get_home_url().

This fixes test failures in Tests_WP_Resource_Hints.

Follow-up to [50156].

See #52421.

#7 @SergeyBiryukov
3 months ago

In 50168:

General: Remove admin exception for https in network_home_url().

Previously, network_home_url() would automatically switch to https if the current request is already https, but would only do so on the front end.

This mirrors the change made earlier for get_home_url().

Follow-up to [12598], [21937], [24844], [50156].
See #52421.

This ticket was mentioned in Slack in #core by sergey. View the logs.


3 months ago

#9 follow-up: @peterwilsoncc
3 months ago

The test failure looks to be coming from either a poorly defined global in source, or erroniously reset global in the tests. Either way, it seems luck has caused the tests to pass until now and I wouldn't be surprised to discover other repairs to the global needed along the way.

@SergeyBiryukov are you still wanting to solve this during the 5.7 cycle or would you prefer it to be dealt with on another ticket?

#10 in reply to: ↑ 9 @SergeyBiryukov
3 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

Replying to peterwilsoncc:

are you still wanting to solve this during the 5.7 cycle or would you prefer it to be dealt with on another ticket?

Let's continue in #52566 :)

#11 in reply to: ↑ description @SergeyBiryukov
3 months ago

Replying to herregroen:

Right now the home_url function will automatically switch to https if the current request is already https but will do so only on the front-end.

For reference, just noting that wp_get_attachment_url() has a similar exception that may or may not need to be removed later. See [32342] / #32112.

Note: See TracTickets for help on using tickets.