[wp-trac] [WordPress Trac] #15928: wp_get_attachment_url does not check for HTTPS

WordPress Trac noreply at wordpress.org
Mon Nov 17 05:15:44 UTC 2014 

#15928: wp_get_attachment_url does not check for HTTPS
--------------------------+-----------------------------
 Reporter:  atetlaw       |       Owner:  boonebgorges
     Type:  defect (bug)  |      Status:  accepted
 Priority:  normal        |   Milestone:  Future Release
Component:  Permalinks    |     Version:  3.0.3
 Severity:  normal        |  Resolution:
 Keywords:  needs-patch   |     Focuses:
--------------------------+-----------------------------

Comment (by joemcgill):

 Alright, jumping back into this again. With [attachment: 15928.8.patch],
 I'm attempting to solve this complex problem with a few assumptions:

 1. The `wp_get_attachment_url()` function should return a url using the
 same URL scheme as the context from which it is called. This is
 particularly important when the function is called from an HTTPS context
 in order to avoid mixed content warnings, as is currently the case
 (reported in duplicate ticket #20534).

 As @boonebgorges pointed out above, this could cause problems on the front
 end if a site is set up to use a separate SSL subdomain (e.g.
 https://secure.mysite.com) but had an uploads directory on a different
 domain without a signed SSL certificate (e.g. http://mysite.com). Since we
 save media urls in post content, there are really only see two viable
 paths forward for solving these issues while providing back-compatibility
 for posts that have already been published. As many have suggested, we
 could switch to using a network path scheme for image URLs, or as @azaozz
 suggests, we would need a new display filter to make sure local urls are
 returned using the same scheme as the site as it is being viewed. This
 leads me to my second assumption:

 2. We can't use the network path scheme in post content because doing so
 can have negative consequences when post content is viewed outside the
 context of a web browser. One documented example is when post content is
 sent out over email to older Outlook clients (http://www.feedblitz.com
 /outlook-hangs-opening-emails-solved/) as @jbrinley pointed out on
 [https://wordpress.slack.com/archives/core/p1415199982004194 Slack]. For
 that reason, using a display filter is probably the best way forward.

 This latest patch creates a new display filter named
 `wp_filter_uploads_scheme()` that will make sure all references to
 uploaded media are returned using the same scheme as the page as it's
 being viewed and automatically adds it as a filter to `the_content()`
 after everything else has run. This patch adds tests for this new filter
 as well.

 A nice side effect of this patch is that it also resolves the concerns of
 the commenters above who didn't want their images to be served over HTTPS
 whenever the site was being viewed in HTTP. Not a primary concern, but
 worth noting.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/15928#comment:83>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list