SSL taskforce

We’re hoping to makemake A collection of P2 blogs at make.wordpress.org, which are the home to a number of contributor groups, including core development (make/core, formerly "wpdevel"), the UI working group (make/ui), translators (make/polyglots), the theme reviewers (make/themes), resources for plugin authors (make/plugins), and the accessibility working group (make/accessibility). many improvements relating to SSLSSL Secure Sockets Layer. Provides a secure means of sending data over the internet. Used for authenticated and private actions./HTTPSHTTPS HTTPS is an acronym for Hyper Text Transfer Protocol Secure. HTTPS is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted. This is especially helpful for protecting sensitive data like banking information. support in 4.0. Several fixes have already gone in over the last couple of weeks, and several are in progress.

Below is an ad-hoc list of SSL related bugs and potential enhancements that I’ve experienced in one way or another. Please leave a comment with details of other SSL related issues you are aware of (whether they’re already in TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress. or not). I’m going to be tackling as many issues as possible for this releaseRelease A release is the distribution of the final version of an application. A software release may be either public or private and generally constitutes the initial or new generation of a new or upgraded application. A release is preceded by the distribution of alpha and then beta versions of the software.. We may or may not find some time to discuss some of this during tonight’s dev meeting.

Issues with HTTPHTTP HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. front end and an HTTPS backend

  • Customiser previews break, site is requested over http
  • ‘url’ and ‘return’ links in customiser have incorrect scheme
  • Media inserted into posts gets the incorrect scheme – #32479
  • GUIDs use the adminadmin (and super admin) scheme
  • Networknetwork (versus site, blog) admin, some mixed http/https issues – #14867, #27499
  • Idea: filterFilter Filters are one of the two types of Hooks https://codex.wordpress.org/Plugin_API/Hooks. They provide a way for functions to modify data of other functions. They are the counterpart to Actions. Unlike Actions, filters are meant to work in an isolated manner, and should never have side effects such as affecting global variables and output. to enable plugins to specify URLs / post IDs / paths which should be forced to https?
  • Idea: filter to enforce front end over http? (excluding urls from above filter)
  • Arguments in favour of a front-end ajax handler: x-domain and x-protocol issues with domain mapping – #12400

General issues with HTTPS on front end

  • Should we force https scheme on local content in post content, post excerptExcerpt An excerpt is the description of the blog post or page that will by default show on the blog archive page, in search results (SERPs), and on social media. With an SEO plugin, the excerpt may also be in that plugin’s metabox., comment text, etc?… – #28521
  • Should we force https scheme using canonical? – fixed – #27954
  • Should we force https scheme for enqueued local scripts/styles? – #28521

General issues with HTTPS backend

  • Mixed content in the editor – can we force https scheme for local content? What about CDNs etc? – #28521
  • XML-RPC does not enforce https – #28424
  • Theme thumbnails aren’t loaded over https – fixed

General HTTPS issues

  • No support for secure oEmbeds – #28507
  • wp_get_attachment_url() doesn’t respect scheme – #15928
  • HSTS – not something coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. should do – could be enabled with a filter but not enabled by default – #28520
  • “Update siteurl and home as well” on network admin loses https scheme – fixed by #32503
  • SSL terminating proxies aren’t supported by default – #31288, #29708, #6778, [28610], [30090]

Issues specifically with HTTPS everywhere

  • Not all cookies have secure flag set – #28427