SSL taskforce

We’re hoping to make many improvements relating to SSL/HTTPS support in 4.0. Several fixes have already gone in over the last couple of weeks, and several are in progress.

Below is an ad-hoc list of SSL related bugs and potential enhancements that I’ve experienced in one way or another. Please leave a comment with details of other SSL related issues you are aware of (whether they’re already in Trac or not). I’m going to be tackling as many issues as possible for this release. We may or may not find some time to discuss some of this during tonight’s dev meeting.

Issues with HTTP front end and an HTTPS backend

  • Customiser previews break, site is requested over http
  • ‘url’ and ‘return’ links in customiser have incorrect scheme
  • Media inserted into posts gets the incorrect scheme – #32479
  • GUIDs use the admin scheme
  • Network admin, some mixed http/https issues – #14867, #27499
  • Idea: filter to enable plugins to specify URLs / post IDs / paths which should be forced to https?
  • Idea: filter to enforce front end over http? (excluding urls from above filter)
  • Arguments in favour of a front-end ajax handler: x-domain and x-protocol issues with domain mapping – #12400

General issues with HTTPS on front end

  • Should we force https scheme on local content in post content, post excerpt, comment text, etc?… – #28521
  • Should we force https scheme using canonical? – fixed – #27954
  • Should we force https scheme for enqueued local scripts/styles? – #28521

General issues with HTTPS backend

  • Mixed content in the editor – can we force https scheme for local content? What about CDNs etc? – #28521
  • XML-RPC does not enforce https – #28424
  • Theme thumbnails aren’t loaded over https – fixed

General HTTPS issues

  • No support for secure oEmbeds – #28507
  • wp_get_attachment_url() doesn’t respect scheme – #15928
  • HSTS – not something core should do – could be enabled with a filter but not enabled by default – #28520
  • “Update siteurl and home as well” on network admin loses https scheme – fixed by #32503
  • SSL terminating proxies aren’t supported by default – #31288, #29708, #6778, [28610], [30090]

Issues specifically with HTTPS everywhere

  • Not all cookies have secure flag set – #28427