[wp-trac] [WordPress Trac] #47577: Streamline detecting and enabling HTTPS
WordPress Trac
noreply at wordpress.org
Sun Jun 30 18:27:13 UTC 2019
#47577: Streamline detecting and enabling HTTPS
-------------------------------------------------+-------------------------
Reporter: flixos90 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting
| Review
Component: Administration | Version:
Severity: normal | Resolution:
Keywords: 2nd-opinion needs-unit-tests has- | Focuses:
patch |
-------------------------------------------------+-------------------------
Comment (by westonruter):
Replying to [comment:5 flixos90]:
> > I suggest also adding a `upgrade-insecure-requests` CSP directive to
automatically handle this outside fo the content
>
> That's worth exploring. I'm wondering whether that would cause problems
with URLs pointing to external websites, that may still not be on HTTPS
though - how does the directive deal with images or links from such
websites? The other concern is that in order to add CSP headers into core,
it may be better to work on a simple centralized solution as a developer
API that would allow managing those directives.
Hyperlinks to other websites would be ignored since merely linking to
another site does not cause a request. Images, videos, iframes, and other
resources would need to be upgraded even on external domains as otherwise
there would be insecure mixed content warnings.
Per [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-
Security-Policy/upgrade-insecure-requests MDN]:
> The upgrade-insecure-requests directive will not ensure that users
visiting your site via links on third-party sites will be upgraded to
HTTPS for the top-level navigation
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47577#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list