[wp-trac] [WordPress Trac] #32112: wp_get_attachment_url returns https when it should not

WordPress Trac noreply at wordpress.org
Thu Apr 30 04:06:14 UTC 2015 

#32112: wp_get_attachment_url returns https when it should not
-------------------------------------+---------------------------
 Reporter:  zabatonni                |       Owner:  boonebgorges
     Type:  defect (bug)             |      Status:  assigned
 Priority:  normal                   |   Milestone:  4.2.2
Component:  Media                    |     Version:  4.2
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-testing  |     Focuses:
-------------------------------------+---------------------------

Comment (by joemcgill):

 Hey Boone,

 Just had a chance to look over this issue and tend to agree that it makes
 sense to respect the scheme of from `wp_upload_dir()` when writing content
 to the database, as you've suggested in [attachment:32112.2.diff].
 Although, the two concerns you brought up in your previous [comment:18
 comment] makes me wonder if we might end up needing to add a content
 filter either way.

 >(a) A site with non-SSL homeurl which is administered over SSL will see
 mixed-content warnings when using the Visual editor. (b) Front-end
 visitors to an SSL-optional site (non-SSL homeurl but accessible over
 HTTPS) will see mixed-content warnings when viewing posts with
 attachments.

 One thing we chose not to do while working on #15928, which could help
 this issue and the types of caching issues @Ipstenu describes, is to force
 a scheme switch to non-SSL urls when someone visits a non SSL-optional
 front end, which could apply to any case where `wp_get_attachement_url()`
 is being called in a template on the front end.

 So in short, I'm suggesting:

 1. Respect the scheme of wp_upload_dir() when we know we're writing post
 content to the database, which your current patch handles.
 2. Conditionally add a very narrow filter to the_content that basically
 uses the same logic we used in #15928 to scheme switch only when a request
 is coming over HTTPS and the host matches the host of the uploads
 directory (i.e., when we know SSL is available).
 3. Optionally, we can use similar logic to scheme switch HTTPS urls back
 to HTTP in SSL-optional contexts.

 What would be great, if possible, would be to make TinyMCE scheme switch
 to HTTPS when loading the image views in the WYSIWYG editor, without
 changing the actual content that gets saved, but that's @azaozz territory.
 I have no idea if we can even do such a thing.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32112#comment:23>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list