Non secure sudomain site url in site activation email

[umesh.nevase]

I've enabled Network site settings for Both site and user registration.

After creating a subdomain and registering a new user site, I got the email requesting site activation. Both a non-secure site URL and a site activation URL are included in the email. The URL of the new site must be secure. When an email contains a non-secure URL and open in browser, an error message stating "Warning: Potential Security Risk Ahead" appears.

I've also checked for subdirectory install, the activation email also contain nonsecure url for new subdirectory site.

Are we keeping the non secure in URL on purpose? We should have handle it for subdirectory install at least by checking the main site is secure or not.

Also there are inconsistencies for http and https url in activate and signup emails.

[umesh.nevase]

Email for site activation for Subdomain Install

[umesh.nevase]

Email for site activation for Subdirectory Install

[umesh.nevase]

Email for subdirectory site install welcome message

[umesh.nevase]

Email for subdomain site install welcome message

[rollybueno]

Looks like this depends on home settings value. e.g.

On the subdomain install, the URL is fetched by using get_blogaddress_by_id():
https://core.trac.wordpress.org/browser/tags/6.8.1/src/wp-includes/ms-blogs.php#L46. It will try to set the scheme by parsing the home value. If the scheme is empty, it will be using http although it will esc_url() on the return value.

I could be wrong, but can you confirm on your settings?

[umesh.nevase]

I've checked some code and the nonsecure urls are added from WordPress core.
wp-includes/ms-functions.php:972
wp-includes/ms-functions.php:1019
wp-includes/ms-functions.php:1051

Trac ticket: https://core.trac.wordpress.org/ticket/63490