Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rewrite HTTP URLs to use HTTPS #19

Closed
westonruter opened this issue Jun 26, 2018 · 3 comments · Fixed by #557
Closed

Rewrite HTTP URLs to use HTTPS #19

westonruter opened this issue Jun 26, 2018 · 3 comments · Fixed by #557
Labels
https

Comments

@westonruter
Copy link
Collaborator

westonruter commented Jun 26, 2018
edited
Loading

Any self-referential URL that is served from the site—including URLs for links, images, videos, scripts, styles, etc.— should get re-written to use HTTP instead of HTTPS when the user has opted-in. See core ticket wp#28521:

  • Force https connections (pretty much covered by #27954)
  • Force local URLs within content to https
  • Force local enqueued scripts and styles to https
  • Force non-local enqueued scripts and styles to https
  • Set the secure flag on all cookies

What we won't do:

  • Force non-local URLs within content to https
  • Force the https version of oEmbeds just yet - see #28507
  • Send an HSTS header - see #28520

Additionally, pages should be served with the upgrade-insecure-requests content security policy so that if there are any URLs that leak through which didn't get rewritten that supporting browsers (~80%) will then do it instead.
@westonruter
Copy link
Collaborator Author

See 3-year-old core patch for what it does: https://core.trac.wordpress.org/attachment/ticket/28521/28521.diff

Note the proposed force_ssl() function. If no such FORCE_SSL constant is defined, it could then look to the options to find the opt-in.

@postphotos
Copy link

Hi @westonruter - I know there are a few working solutions that tackle this elsewhere already. For example, I've used Insecure Content Fixer in sites before during a transition to HTTPS:
Github: https://github.com/webaware/ssl-insecure-content-fixer
WP.org page: https://en-gb.wordpress.org/plugins/ssl-insecure-content-fixer

This may be helpful as we devise a solution here.

@westonruter
Copy link
Collaborator Author

westonruter commented Sep 5, 2018
edited
Loading

From looking at the plugin directory, these seemed to me to be the most widely-adopted HTTPS-facilitating plugins:

@postphotos postphotos added this to the 0.2 milestone Oct 16, 2018
@westonruter westonruter removed this from the 0.2 milestone Apr 10, 2019
@westonruter westonruter mentioned this issue Jul 8, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
https
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove HTTPS detection/migration since landed in WP 5.7 GoogleChromeLabs/pwa-wp
2 participants
@westonruter @postphotos