[wp-trac] [WordPress Trac] #32552: Use HTTPS for Google API external libraries
WordPress Trac
noreply at wordpress.org
Sat Jun 27 13:53:51 UTC 2015
#32552: Use HTTPS for Google API external libraries
-------------------------------------------------+-------------------------
Reporter: netweb | Owner:
Type: defect (bug) | rommelxcastro
Priority: normal | Status: reopened
Component: External Libraries | Milestone: 4.3
Severity: critical | Version:
Keywords: good-first-bug needs-patch dev- | Resolution:
feedback | Focuses:
-------------------------------------------------+-------------------------
Changes (by dorianmuthig):
* keywords: good-first-bug has-patch => good-first-bug needs-patch dev-
feedback
* status: closed => reopened
* resolution: fixed =>
* severity: normal => critical
* type: enhancement => defect (bug)
Comment:
* Is inappropriate change
* Has security implications
As per comment on GitHub:
https://github.com/WordPress/WordPress/commit/81df9bffc5ffdda9cd7c16dadef21b574f9ee922#commitcomment-11859945
(most recent code change that is relevant to the issue described)
>> Please make a change and do not load libraries from external sources.
This centralizes the failure point and enables the external provider to
track all visitors, or worse, inject code in a targeted manner via
referrer, domain, IP and public cookie matching. Please include these
resources locally with the wordpress installation and make using the local
copy the default. In case you'd like to provide users with the option to
use a CDN, please do it in a manner which allows and encourages those
managing multiple wordpress installations to 1. use their own, 2. verify
the script loaded is the right one (lazy load it with JavaScript and
verify a checksum) and 3. avoid leaking user's browser behavior to third
parties.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32552#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list