[wp-trac] [WordPress Trac] #15928: wp_get_attachment_url does not check for HTTPS

WordPress Trac noreply at wordpress.org
Mon Apr 29 21:27:43 UTC 2013


#15928: wp_get_attachment_url does not check for HTTPS
-------------------------------------+-----------------------------
 Reporter:  atetlaw                  |       Owner:
     Type:  defect (bug)             |      Status:  assigned
 Priority:  normal                   |   Milestone:  Future Release
Component:  Permalinks               |     Version:  3.0.3
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-testing  |
-------------------------------------+-----------------------------

Comment (by ryansatterfield):

 The site should be purely https or purely http, not just the admin side
 being https. If you are an admin using https and you view a post, I would
 assume that would be http, thus breaking the security of https for the
 admin.
 Replying to [comment:41 ccolotti]:
 > Replying to [comment:40 johnbillion]:
 > > Replying to [comment:39 ryansatterfield]:
 > > > Your site is either purely https or purely http. Even if you think
 it is half and half, it isn't. If you use http mixed with https, you've
 broken the http strict transport security, thus making it easier for
 hackers to get information transmitted over https.
 > > ccolotti is talking about the WordPress admin area. You can have admin
 over SSL with a site over HTTP. In this situation, WordPress currently
 incorrectly inserts a images into your post content using the HTTPS scheme
 instead of HTTP.
 >
 > YES this is correct and all I am referring to and exactly my situation.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/15928#comment:42>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list