#52837 closed feature request (duplicate)
Use client-side HTTPS request to determine HTTPS update prompt
Reported by: | ayeshrajans | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Site Health | Keywords: | |
Focuses: | Cc: |
Description
WordPress 5.7 ships with automatic HTTPS checks and an easy upgrade. I think this is a great step and wholeheartedly agree with the idea.
The HTTPS check is currently done server-side, which uses the Curl-bundled root certificate store, or the one provided by WordPress. The problem is that the HTTPS URLs are for the browser, and not only for the server.
WordPress's HTTPS connection attempt can fail on sites that might be otherwise available over HTTPS:
- Local development servers with custom root certificates.
- Internal web sites with a custom root certificate managed by the network administrator.
- Computers with Internet security software, that proxies all connections.
- YOLO users who enable older SSL protocols.
I would like to suggest that we can further improve the HTTPS upgrade prompt by making an HTTPS request to a REST end point (that is signed, and responds with CORS) on the browser. If the request is successful, then we can show the user a message, saying the server cannot connect the WordPress site, but the browser could. If the user would like to upgrade to HTTPS knowing this, I think that is an improvement either way.
Thank you.
Thanks for the ticket!
I think the current plan is to remove the HTTPS check from Site Health in #52783, as there are indeed some scenarios where it doesn't work as expected.