[wp-trac] [WordPress Trac] #33547: Smilies are served over http instead of https and create mixed content when logged in
WordPress Trac
noreply at wordpress.org
Sun Sep 13 02:07:25 UTC 2015
#33547: Smilies are served over http instead of https and create mixed content when
logged in
-------------------------------------------------+-------------------------
Reporter: Strzyga | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.4
Component: Posts, Post Types | Version: 4.3
Severity: normal | Resolution:
Keywords: reporter-feedback has-patch dev- | Focuses:
feedback | administration
-------------------------------------------------+-------------------------
Comment (by dmchale):
fwiw scheme-less url's were mentioned on slack the other day in an HTTP/2
discussion, and @tollmanz commented how they were an anti-pattern
nowadays. https://wordpress.slack.com/archives/core/p1441918729000823
a few posts below, @eric posted a really good link discussing it
http://www.paulirish.com/2010/the-protocol-relative-url/
"Now that SSL is encouraged for everyone and doesn’t have performance
concerns, this technique is now an anti-pattern. If the asset you need is
available on SSL, then always use the https:// asset.
Allowing the snippet to request over HTTP opens the door for attacks like
the recent Github Man-on-the-side attack. It’s always safe to request
HTTPS assets even if your site is on HTTP, however the reverse is not
true."
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33547#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list