[wp-trac] [WordPress Trac] #36451: get_rest_url() not returning SSL version of the URL when the home_url it's a subdomain

WordPress Trac noreply at wordpress.org
Wed May 24 16:13:42 UTC 2017 

#36451: get_rest_url() not returning SSL version of the URL when the home_url it's
a subdomain
-------------------------+-------------------------------------------------
 Reporter:  nicholas_io  |       Owner:  johnbillion
     Type:  defect       |      Status:  assigned
  (bug)                  |   Milestone:  Future Release
 Priority:  normal       |     Version:  4.4
Component:  REST API     |  Resolution:
 Severity:  major        |     Focuses:  administration, multisite, rest-
 Keywords:  https        |  api
-------------------------+-------------------------------------------------

Comment (by jnylen0):

 Replying to [comment:27 johnbillion]:
 > The REST API endpoint URL is not blindly forced to HTTPS if the current
 request is HTTPS because the domain name can differ and not be available
 over HTTPS, therefore breaking the endpoint.

 I now think this is less common than the current situation described in
 this ticket...

 > That said, the current situation results in the REST API endpoint URL
 having an HTTP scheme when you're on an HTTPS URL, which means it's most
 likely broken due to cross-protocol restrictions in browsers anyway.

 ... (this one).

 It seems pretty likely to me that if a request that serves a `rest_url`
 `is_ssl()`, then everything is going to be SSL.  If not, then the
 `rest_url` filter can be used as above.

 > I think we could go ahead and force the REST API endpoint URL to HTTPS
 according to [attachment:36451.3.diff], but I don't want to do that during
 beta 2. I think this needs to be punted to 4.9 early.

 IMO a pretty solid argument for getting this into 4.8 is that we now have
 usage of the REST API in the admin context (the new oembed proxy endpoint
 in the media modal), and we know details of cases where the current code
 is broken and [attachment:36451.3.diff] fixes it.

 We could also do a hybrid approach where we preserve the hostname check
 for the previous code, but remove it if `is_admin() && force_ssl_admin()`.
 I can get this done today, but let's discuss in Slack first.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36451#comment:30>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list