WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#8901 closed defect (bug) (fixed)

Sends menu icons for plugin menus over HTTP regardless of SSL settings

Reported by: brandonhorn Owned by: ryan
Milestone: 2.8 Priority: normal
Severity: minor Version: 2.7
Component: Administration Keywords: has-patch tested commit
Focuses: Cc:

Description

When a plugin adds a menu item to the admin interface, the associated icon is sent over HTTP. This is true regardless of whether the FORCE_SSL options are set. The issue is that IE warns when an HTTPS page contains some information sent over HTTP.

By default, IE doesn't cache images sent over HTTPS, so it warns every single time a page is loaded in the admin interface.

Attachments (1)

8901.diff (769 bytes) - added by DD32 5 years ago.

Download all attachments as: .zip

Change History (11)

comment:1 ryan5 years ago

  • Owner changed from anonymous to ryan

comment:2 Denis-de-Bernardy5 years ago

  • Keywords 2nd-opinion added; HTTPS removed

Is this still current? Seems like they're get included with CSS and that the CSS files get included with an https link. Or am I missing something?

comment:3 Denis-de-Bernardy5 years ago

  • Keywords reporter-feedback added

comment:4 Denis-de-Bernardy5 years ago

  • Milestone 2.8 deleted
  • Resolution set to invalid
  • Status changed from new to closed

plugin should fix this by using wp_print_scripts()

comment:5 DD325 years ago

  • Milestone set to 2.8
  • Resolution invalid deleted
  • Status changed from closed to reopened

Need to check if this is still current.

Denis: When you add top-level menu's, You can specify a Icon to be shown (instead of the default), You dont supply a full url, just a relative (to site root i think) path.

using site_url() would fix this, if its not yet been implemented.

comment:6 Denis-de-Bernardy5 years ago

  • Milestone 2.8 deleted
  • Resolution set to invalid
  • Status changed from reopened to closed

re-closing this as invalid. if you add an icon, using site_url() and plugin_dir_url() to pass its url around will enforce the proper protocol in _wp_menu_output()

comment:7 DD325 years ago

  • Keywords has-patch added; reporter-feedback 2nd-opinion removed
  • Milestone set to 2.8
  • Resolution invalid deleted
  • Status changed from closed to reopened

Re-opening, Yet again, Due to this being simpler to be solved by WordPress than plugins.

Admin SSL can be set on a per-user basis, also a per-connection basis i believe, Nor does the admin SSL being enabled mean that SSL is enabled for the Site root, or the plugins directory. Nor does the Admin being SSL-enabled mean links to the plugins directory should be SSL'd.

Please leave it for someone who's got a detailed knowledge of the SSL implementation to close as invalid if its better for plugins to deal with.

DD325 years ago

comment:8 DD325 years ago

However, That patch makes the assumption that the non-admin location is available by SSL, which is not always the case. But that form of SSL (shared cert) is not exactly supported by WordPress in the least very well.

comment:9 Denis-de-Bernardy5 years ago

  • Keywords tested commit added

my guess, if any, is he's using a plugin that adds an icon with a path like this:

$icon = WP_PLUGIN_DIR . 'my-plugin/icon.png';

this should be replaced by:

$icon = plugin_dir_url(__FILE__) . 'icon.png';

and the problem gets fixed. but yeah, your patch gets it fixed by WP directly.

comment:10 ryan5 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [11186]) Make sure plugin menu icons are delivered via https if is_ssl(). Props DD32. fixes #8901

Note: See TracTickets for help on using tickets.