Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#52837 closed feature request (duplicate)

Use client-side HTTPS request to determine HTTPS update prompt

Reported by: ayeshrajans's profile ayeshrajans Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Site Health Keywords:
Focuses: Cc:


WordPress 5.7 ships with automatic HTTPS checks and an easy upgrade. I think this is a great step and wholeheartedly agree with the idea.

Related: #50072, #52614

The HTTPS check is currently done server-side, which uses the Curl-bundled root certificate store, or the one provided by WordPress. The problem is that the HTTPS URLs are for the browser, and not only for the server.

WordPress's HTTPS connection attempt can fail on sites that might be otherwise available over HTTPS:

  • Local development servers with custom root certificates.
  • Internal web sites with a custom root certificate managed by the network administrator.
  • Computers with Internet security software, that proxies all connections.
  • YOLO users who enable older SSL protocols.

I would like to suggest that we can further improve the HTTPS upgrade prompt by making an HTTPS request to a REST end point (that is signed, and responds with CORS) on the browser. If the request is successful, then we can show the user a message, saying the server cannot connect the WordPress site, but the browser could. If the user would like to upgrade to HTTPS knowing this, I think that is an improvement either way.

Thank you.

Change History (3)

#1 @SergeyBiryukov
3 years ago

Thanks for the ticket!

I think the current plan is to remove the HTTPS check from Site Health in #52783, as there are indeed some scenarios where it doesn't work as expected.

#2 @ayeshrajans
3 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #52783.

Great, thank you.
I will mark this one as duplicate so we have central place to discuss.

#3 @SergeyBiryukov
3 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.