[wp-trac] [WordPress Trac] #28521: FORCE_SSL constant for really forcing SSL
WordPress Trac
noreply at wordpress.org
Thu Jun 12 22:50:17 UTC 2014
#28521: FORCE_SSL constant for really forcing SSL
----------------------------+-----------------
Reporter: johnbillion | Owner:
Type: task (blessed) | Status: new
Priority: normal | Milestone: 4.0
Component: Security | Version:
Severity: normal | Keywords:
Focuses: |
----------------------------+-----------------
Previously: #27954.
As per [https://make.wordpress.org/core/2014/06/11/ssl-taskforce/ this
post on make/core and its comments], we should introduce a new constant
which becomes the iron-fisted ruler of HTTPS, imposing its might
everywhere it can.
If this constant is set, we will:
* Force `https` connections (pretty much covered by #27954)
* Force local URLs within content to `https`
* Force local enqueued scripts and styles to `https`
* Force non-local enqueued scripts and styles to `https`
* Set the `secure` flag on all cookies
What we won't do:
* Force non-local URLs within content to `https`
* Force the `https` version of oEmbeds just yet - see #28507
* Send an HSTS header - see #28520
What I'm not sure on:
* Should we force `https` connections for XML-RPC? See #28424.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28521>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list