[wp-trac] [WordPress Trac] #51438: Use CSP directive upgrade-insecure-requests when using HTTPS
WordPress Trac
noreply at wordpress.org
Fri Oct 2 20:08:07 UTC 2020
#51438: Use CSP directive upgrade-insecure-requests when using HTTPS
-------------------------+------------------------------------------
Reporter: flixos90 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords: needs-patch needs-unit-tests
Focuses: |
-------------------------+------------------------------------------
While looking at ways on how to streamline HTTPS support in WordPress
core, [https://core.trac.wordpress.org/ticket/47577#comment:4 one
suggestion has been to include a `Content-Security-Policy` directive of
`upgrade-insecure-requests`] for sites using HTTPS. This directive would
ensure that browsers automatically replace (old) insecure requests for
inline content (e.g. images) to use HTTPS (see
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-
Security-Policy/upgrade-insecure-requests).
This could be as simple as injecting `<meta http-equiv="Content-Security-
Policy" content="upgrade-insecure-requests">` into `wp_head` for sites
that use HTTPS (see `wp_is_using_https()` from #47577). Alternatively,
since this is mostly beneficial for sites that may still ("accidentally")
have insecure URLs in their content after migrating from HTTP to HTTPS, it
might make sense to rely on `wp_should_update_insecure_urls()` from #51437
instead.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51438>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list