Do client-side HTTPS request to confirm valid certificate

[westonruter]

At the moment we rely on the WP Cron job to do a loopback request to HTTPS URL for the site to make sure that HTTPS is available. However, it could be that the server doesn't have certificates configured properly to successfully verify, or it may verify when they shouldn't be. Additionally, on the general settings screen it could be that the cronjob is delayed and so we can't get up-to-date information to display with the HTTPS checkbox.

So I think for the general settings screen we should do a client-side request with JavaScript to an HTTPS endpoint to make sure that the request succeeds. This could be simply an admin-ajax handler that sends the CORS response headers. Or we could do a fetch to the HTTPS URL for the web manifest, since the REST API sends CORS by default via rest_send_cors_headers(). But since that can be disabled, perhaps best to go with admin-ajax.

So whenever accessing the general settings screen where the HTTPS checkbox is displayed, the Ajax request can be made to check for HTTPS and the checkbox (with notice) can be updated depending on whether the request succeeds.

[westonruter]

A related issue here can be found on https://wordpress.org/support/topic/plugin-triggers-curl-error-28-message/

In short, the loopback request in \WP_HTTPS_Detection::update_https_support_options() can timeout on slow hosts. When that happens, an error gets shown in the general settings:

If we did the client-side instead, then this would not be a problem, and it would be more robust since the browser's certificates should be more reliable.