[wp-trac] [WordPress Trac] #15928: wp_get_attachment_url does not check for HTTPS
WordPress Trac
noreply at wordpress.org
Mon Nov 17 18:58:52 UTC 2014
#15928: wp_get_attachment_url does not check for HTTPS
--------------------------+-----------------------------
Reporter: atetlaw | Owner: boonebgorges
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: Future Release
Component: Permalinks | Version: 3.0.3
Severity: normal | Resolution:
Keywords: needs-patch | Focuses:
--------------------------+-----------------------------
Comment (by joemcgill):
Your first three points all make perfect sense to me. I had considered
whether it would be best limit the filter to only look for the upload
directory url inside of a src attribute and you're probably correct that
it's better to be conservative here.
In terms of your last point, the only question that I would have is
whether it would be better from a security point of view to return
https:// urls, which would be broken because of an insecure content
errors, rather than display the content. Because by not doing so, aren't
we effectively breaking HTTPS by displaying mixed content when the
function is being called from within an SSL context (e.g.
https://secure.mydomain.com)?
I'm really interested in opinions on that particular point, because we are
making a pretty important design decision for how that function should
work. If we go the less aggressive route, I think we need to create extra
filters for places where this function is used to create content displayed
in the admin area of a site (when using SSL) than what we currently have
in place.
Another approach would be to add a new parameter to that function that is
basically a boolean for forcing the function to return SSL urls when
called from an SSL context, and then make sure that all the times the
admin uses `wp_get_attachment_url()` we are passing along `true` to that
parameter (or even just make true the default). Would that approach be
better?
Once we figure out the right approach, I'm happy to create another patch
to try to close this up.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/15928#comment:85>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list