[wp-trac] [WordPress Trac] #15928: wp_get_attachment_url does not check for HTTPS
WordPress Trac
noreply at wordpress.org
Thu Mar 5 02:39:02 UTC 2015
#15928: wp_get_attachment_url does not check for HTTPS
--------------------------+---------------------------
Reporter: atetlaw | Owner: boonebgorges
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 4.2
Component: Permalinks | Version: 3.0.3
Severity: major | Resolution: fixed
Keywords: has-patch | Focuses:
--------------------------+---------------------------
Changes (by boonebgorges):
* status: accepted => closed
* resolution: => fixed
Comment:
In [changeset:"31614"]:
{{{
#!CommitTicketReference repository="" revision="31614"
In `wp_get_attachment_url()`, convert to HTTPS when possible.
`wp_get_attachment_url()`, via `wp_upload_dir()`, uses 'siteurl' to
generate
attachment URLs. When a site is SSL-optional on the front end - ie,
'siteurl'
is non-HTTPS, but SSL is available - a number of situations can arise
where
non-HTTPS attachment URLs cause browser mixed-content warnings:
a) SSL is forced in the admin and `wp_get_attachment_url()` is used to
generate the `<img>` tag for an inserted image. In these cases, the post
content will contain non-HTTPS. Viewing/editing this post in the Dashboard
will result in non-HTTPS images being served in an SSL environment.
b) `wp_get_attachment_url()` is used in a theme to generate an `<img>`
`src` attribute on a public page. When viewing that page over SSL, the
images will have HTTP URLs.
This changeset switches attachment URLs to HTTPS when it's determined that
the
host supports SSL. This happens when 'siteurl' is non-SSL, but the current
page
request *is* over SSL, and the host of the current request matches the
host of
the URL being generated.
Props joemcgill, boonebgorges.
Fixes #15928.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/15928#comment:97>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list