[wp-trac] [WordPress Trac] #47577: Streamline detecting and enabling HTTPS

Fri Aug 9 16:09:35 UTC 2019

#47577: Streamline detecting and enabling HTTPS
-------------------------------------------------+-------------------------
 Reporter:  flixos90                             |       Owner:  (none)
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Awaiting
                                                 |  Review
Component:  Administration                       |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  2nd-opinion needs-unit-tests has-    |     Focuses:
  patch                                          |
-------------------------------------------------+-------------------------

Comment (by miinasikk):

 Replying to [comment:8 westonruter]:
 >
 > The 80% solution here—for the majority of users who don't know how to
 debug things like this—seems to be just to `upgrade-insecure-requests`.
 This should be come less and less of a problem as more sites support
 HTTPS.

 If we would add the `upgrade-insecure-requests` e.g. by adding
 `'wp_headers'` filter to `https-detection.php` then this would mean that
 all the sites that already are using HTTPS would benefit from that. I'm
 wondering about the cases though where there might be hundreds of posts of
 which some might use third-party resources which might not support HTTPS,
 and this would happen without any notice about it after WP update. Not
 sure if there is a good way to inform about this behavior change, other
 than stating it in the added Security section. Or do you think it should
 probably be acceptable as-is since it would work for 80% of the cases? Not
 sure what's the general policy for these cases, is 80% rule the policy? :)

 >
 > So while `upgrade-insecure-requests` should be the default, it makes
 sense that a developer should be able to turn off that default behavior
 and instead opt to [https://developer.mozilla.org/en-
 US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-
 requests#Finding_insecure_requests find insecure requests] via:
 >
 > {{{
 > Content-Security-Policy-Report-Only: default-src https:; report-uri
 /endpoint
 > }}}
 >
 > This would require the support of a plugin like
 [https://wordpress.org/plugins/reporting-api/ Reporting API]. It's also
 not something that should be the default for all sites.

 We could add a filter which by default would add the `upgrade-insecure-
 requests` but when set to the opposite value (`false` vs `true` depending
 on the filter) would add `Content-Security-Policy-Report-Only` instead.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/47577#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform