[wp-trac] [WordPress Trac] #32552: Use HTTPS for Google API external libraries

WordPress Trac noreply at wordpress.org
Sat Jun 27 13:53:51 UTC 2015


#32552: Use HTTPS for Google API external libraries
-------------------------------------------------+-------------------------
 Reporter:  netweb                               |       Owner:
     Type:  defect (bug)                         |  rommelxcastro
 Priority:  normal                               |      Status:  reopened
Component:  External Libraries                   |   Milestone:  4.3
 Severity:  critical                             |     Version:
 Keywords:  good-first-bug needs-patch dev-      |  Resolution:
  feedback                                       |     Focuses:
-------------------------------------------------+-------------------------
Changes (by dorianmuthig):

 * keywords:  good-first-bug has-patch => good-first-bug needs-patch dev-
     feedback
 * status:  closed => reopened
 * resolution:  fixed =>
 * severity:  normal => critical
 * type:  enhancement => defect (bug)


Comment:

 * Is inappropriate change
 * Has security implications

 As per comment on GitHub:
 https://github.com/WordPress/WordPress/commit/81df9bffc5ffdda9cd7c16dadef21b574f9ee922#commitcomment-11859945
 (most recent code change that is relevant to the issue described)

 >> Please make a change and do not load libraries from external sources.
 This centralizes the failure point and enables the external provider to
 track all visitors, or worse, inject code in a targeted manner via
 referrer, domain, IP and public cookie matching. Please include these
 resources locally with the wordpress installation and make using the local
 copy the default. In case you'd like to provide users with the option to
 use a CDN, please do it in a manner which allows and encourages those
 managing multiple wordpress installations to 1. use their own, 2. verify
 the script loaded is the right one (lazy load it with JavaScript and
 verify a checksum) and 3. avoid leaking user's browser behavior to third
 parties.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32552#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list