[wp-trac] [WordPress Trac] #47577: Streamline detecting and enabling HTTPS
WordPress Trac
noreply at wordpress.org
Fri Aug 9 16:09:35 UTC 2019
#47577: Streamline detecting and enabling HTTPS
-------------------------------------------------+-------------------------
Reporter: flixos90 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Administration | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion needs-unit-tests has- | Focuses:
patch |
-------------------------------------------------+-------------------------
Comment (by miinasikk):
Replying to [comment:8 westonruter]:
>
> The 80% solution here—for the majority of users who don't know how to
debug things like this—seems to be just to `upgrade-insecure-requests`.
This should be come less and less of a problem as more sites support
HTTPS.
If we would add the `upgrade-insecure-requests` e.g. by adding
`'wp_headers'` filter to `https-detection.php` then this would mean that
all the sites that already are using HTTPS would benefit from that. I'm
wondering about the cases though where there might be hundreds of posts of
which some might use third-party resources which might not support HTTPS,
and this would happen without any notice about it after WP update. Not
sure if there is a good way to inform about this behavior change, other
than stating it in the added Security section. Or do you think it should
probably be acceptable as-is since it would work for 80% of the cases? Not
sure what's the general policy for these cases, is 80% rule the policy? :)
>
> So while `upgrade-insecure-requests` should be the default, it makes
sense that a developer should be able to turn off that default behavior
and instead opt to [https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-
requests#Finding_insecure_requests find insecure requests] via:
>
> {{{
> Content-Security-Policy-Report-Only: default-src https:; report-uri
/endpoint
> }}}
>
> This would require the support of a plugin like
[https://wordpress.org/plugins/reporting-api/ Reporting API]. It's also
not something that should be the default for all sites.
We could add a filter which by default would add the `upgrade-insecure-
requests` but when set to the opposite value (`false` vs `true` depending
on the filter) would add `Content-Security-Policy-Report-Only` instead.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47577#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list