[wp-trac] [WordPress Trac] #28427: All cookies should be secure when `home` and `siteurl` use HTTPS

WordPress Trac noreply at wordpress.org
Sun Jun 8 22:05:12 UTC 2014


#28427: All cookies should be secure when `home` and `siteurl` use HTTPS
-------------------------------------+------------------
 Reporter:  johnbillion              |       Owner:
     Type:  enhancement              |      Status:  new
 Priority:  normal                   |   Milestone:  4.0
Component:  Security                 |     Version:
 Severity:  minor                    |  Resolution:
 Keywords:  has-patch needs-testing  |     Focuses:
-------------------------------------+------------------
Changes (by johnbillion):

 * keywords:   => has-patch needs-testing


Comment:

 [attachment:28427.diff] tackles this. Note that it relies on
 [attachment:28487.diff:ticket:28487 my patch for is_https() on #28487].

 The patch sets the 'secure' flag on...

  * The test cookie if both `home_url()` and `site_url()` are https.
  * The settings cookies if `site_url()` is https.
  * The post password cookie if `home_url()` is https.
  * The comment author cookies if the comment post permalink is https.

 I'm in two minds about the comment author cookies. It could just check for
 https on `home_url()` rather than the current comment post permalink.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/28427#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list