[wp-trac] [WordPress Trac] #34945: HTTPS website with HTTP images

WordPress Trac noreply at wordpress.org
Sat Jan 2 14:48:59 UTC 2016 

#34945: HTTPS website with HTTP images
--------------------------------------------+--------------------------
 Reporter:  Angristan                       |       Owner:  johnbillion
     Type:  defect (bug)                    |      Status:  reopened
 Priority:  normal                          |   Milestone:  4.4.1
Component:  Media                           |     Version:  4.4
 Severity:  normal                          |  Resolution:
 Keywords:  https has-patch has-unit-tests  |     Focuses:
--------------------------------------------+--------------------------

Comment (by joemcgill):

 Replying to [comment:27 dd32]:
 > The `upload_url_path` option could be set to a CDN or other remote host
 which is only available over one scheme. It could be set to a HTTPS url
 while the current page is being served over HTTP.
 >
 > One option would be to only `set_url_scheme()` if the hostnames match.

 The above point is a good one an needs to be considered before "upgrading"
 an HTTP request to an HTTPS one. We can apply the same fix that was
 applied to `wp_get_attachment_url()` in r31614, which only changes schemes
 when `is_ssl()` is true, and the hostnames match.

 Unfortunately, we can't apply this logic directly in `wp_uploads_dir()`
 because that function is used to build URLs for content that is then
 inserted into posts in the database. Eventually, we should reverse all of
 this logic so that we default to HTTPS and make exceptions for the
 functions that insert content in the database, but for 4.4.1 a more
 conservative approach is probably wise.

 In [https://core.trac.wordpress.org/attachment/ticket/34945/34945.2.diff
 34945.2.diff] I've used the same narrow applied in r31614 which will take
 care of situations where:

 * The site has the home and siteurl options set to URLs with HTTP schemes,
 * WP_HOME and WP_SITEURL constants are not defined to HTTPS,
 * The site is optionally available over HTTPS on the front end, or HTTPS
 is being used in the admin with a self-signed certificate but the front
 end is only available over HTTP.

 I also prefer placing this fix in `_wp_upload_dir_baseurl()` instead of
 `wp_calculate_image_srcset()` because this way we only run the code once
 per page load rather than once per image on the page, which could be quite
 a performance hit for the display filter that adds `srcset` attributes to
 content images.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34945#comment:29>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list