Make WordPress Core

Recent Updates Page 2 Toggle Comment Threads | Keyboard Shortcuts

  • K.Adam White 5:30 pm on September 27, 2016 Permalink |
    Tags: , ,   

    API Team Update 

    API Team Update Sept. 27 2016

    The API team met yesterday on slack for our weekly update, which this week was predominately focused on follow-up from last Thursday’s comprehensive GitHub issues scrub.

    Since the previous API team update the group has been making steady progress through the gameplan outlined in that post. To give a quick update on a few key “quirky” issues that had been identified:

    Password-Protected Posts

    As noted in last week’s dev chat, password-protected posts will be included in collections with their content set to '', and the content can be viewed by passing ?password=XXXXX as a query or GET parameter when querying for a specific post. Query parameters are not an ideal solution: Authorization headers are out because you can’t have multiple authorization schemes in one request; cookies don’t afford enough control to browser clients, and custom headers aren’t respected by caches. See GH issue #2701 for more background, and check out the open pull request to review the specifics of the implementation.

    Sticky Posts

    After much debate there is now a path forward for handling sticky posts as well. Following this open pull request, sticky posts are included in the /wp/v2/posts collection, but are not given special treatment in terms of ordering—a sticky post will, by default, be displayed ordered by date or whatever orderby has been set for the request. The parameter ?sticky=true may be passed to return only sticky posts; ?sticky=false may be passed to exclude sticky posts from the response.

    There is ongoing discussion around how the API could surface posts in the “normal loop order,” with stickies on top, followed by non-sticky posts. @jorbin will propose a follow-up enhancement that could be added in to the API in a later cycle. See GH issue #2210 and associated slack discussion for more commentary.

    Meta Support

    A pull request is open on the API meta endpoints repository to add support for registering meta with the API using the main register_meta function. This PR includes a comprehensive readme explaining how meta handling works. Once merged & reviewed, this functionality will be PR’d against the primary REST API plugin repository.

    Site Settings (Options) Support

    A pull request has merged into the API site endpoints repository which adds support for accessing and manipulating site settings through the API. These endpoints will be PR’d against the core REST API plugin repository this week.

    Discussion items for 9/28 dev chat

    This project is not quite done yet, and in tomorrow’s dev chat the API team will be looking to the broader WordPress team for input on three priority issues that need a decision:

    Upcoming Meetings

    Please join us in #core-restapi on chat.wordpress.org for our next two group meetings:

  • Aaron Jorbin 6:09 am on September 27, 2016 Permalink |
    Tags: ,   

    Bug Scrubs This Week 

    There are a few upcoming bug scrubs in addition to the regular component ones that you should plan on attending. Both of these scrubs will be taking place in the #core slack room.

    Additionally, thanks to @desrosj for running a 4.7 focused scrub on Monday.

    Want to run a bug scrub? Learn about running your own.

    • Aaron D. Campbell 5:57 pm on September 27, 2016 Permalink | Log in to Reply

      Unfortunately, something has come up and I had to reschedule my bug scrub. I updated the time in the post. Sorry to anyone this is less convenient for.

  • David A. Kennedy 10:45 pm on September 23, 2016 Permalink |
    Tags: , ,   

    Twenty Seventeen Meeting Notes: Sept. 23 2016 

    Here’s the meeting summary for this week. If I missed anything, let me know in the comments.



    The group:

    • labeled a handful of issues on GitHub that hadn’t been triaged yet.
    • discussed ideas for handling the home page layout. #37974 will become the “master” ticket for this. All discussion related to improving this part of themes should happen there – in Trac and not on GitHub. Many ideas were mentioned, but the first step agreed on was mapping out user flows. See A shorthand for designing UI flows for context.
    • decided to have a second meeting for the features around Twenty Seventeen, like the one discussed in #37974. That meeting will be every Tuesday, at 17:00 UTC in #core-themes.
  • David A. Kennedy 3:05 pm on September 23, 2016 Permalink |
    Tags: , ,   

    Twenty Seventeen: Agenda for Sept 23, 2016 Meeting 

    Here’s the agenda for today’s weekly meeting on Twenty Seventeen. It will last 30 minutes, and I’ll be around in the #core-themes channel for at least 30 minutes afterward to answer any questions.

    • Triage as many issues and PRs that haven’t been labeled yet.
    • Handling the home page layout. See: Pull #62, #19627, #16379, #38013.
    • Open floor.

    Reminder: Meetings are every Friday at 18:00 UTC.

  • Nick Halsey 4:59 am on September 23, 2016 Permalink |
    Tags: ,   

    Customize Update 2016-09-22 

    This is the weekly update post for the customize component. It includes a summary of this week’s meeting, recent commits, and next week’s meeting agenda.

    Weekly Customize Meeting Summary

    On Monday we held our weekly 4.7 customize component meeting in #core-customize on Slack [logs]. Participants: @celloexpressions, @ataylorme, @westonruter, @johnregan3. This summary also contains a few notes on action since the meeting.

    4.7 Projects

    • Create pages within live preview during site setup – #37914#37915, #37916, #38002, #38013 – @celloexpressions
      • @boone shared a proposal later in the week for term status; a make/core proposal is likely the next step
      • @westonruter committed adding new pages to the static front page options, and making them contextual in #38013.
      • We need a new ticket following up on #38013 for enabling pages to be created within the static front page UI. @westonrtuer has initial code for this in the Customize Posts plugin.
      • We still need UX feedback on providing a path to edit newly-created pages, #38002.
    • A new experience for themes in the customizer – #37661 –@celloexpressions
      • We’re primarily pending feedback at this point. Could use some assistance from the shiny updates team to add shiny theme uploads as well.
      • There is another updated patch as of today with some minor bug fixes, based on testing from @rabmalin.
      • Usability testing started today; see the results on Make/Design.
      • A feature proposal post will be published next week.
    • Code-editing gateways, via CSS – #35395 – @johnregan3
      • We still need information from anyone familiar with the CSSTidy library. It seems that the version included in Jetpack is an up-to-date fork, as the original project was last updated in 2007. If anyone from Automattic can provide input here that would be appreciated.
      • We also need to ensure that the license, GPL 2.1 or later is compatible with core.
      • The CodeMirror library is also proposed to be bundled with core for this project; we would like core committer/lead developer approval for bundling both of these soon so that we can proceed. CSSTidy is a requirement, CodeMirror is a usability enhancement (syntax highlighting).
      • We’re planning to post the feature proposal the week after next.
    • Customizer browser history#28536 – @westonruter
      • Feature proposal post will be published in three weeks, as this shouldn’t need signficant work to polish up.
    • Customize transactions#30937 – @westonruter
      • @westonruter is working to sit down and focus on this this week, and will evaluate whether it’s still feasible for 4.7.
    • Improving sliding panels UI – #34391, #34343, #29158 – @delawski
      • @westonruter is planning to commit #34391 on Friday, after a final review from @celloexpressions. (#37661 will need a refresh, to be handled tomorrow night).
      • @delawski is also preparing a make/core post to be published in the next few days.
      • #34343 is pending #34391.
      • #29158 needs design ideas for the back arrows and close button focus styles, ticket updated accordingly.
    • Twenty Seventeen
      • @davidakennedry shared a mockup for video headers in #core-themes. This would require someone digging deep into #36581 and #32861 before work can begin on adding support for videos, and insert from URL may not be feasible.

    Additional Tickets Needing Attention

    • Customizer notifications – #35210 – needs UX feedback and a patch
      • @westonruter will work on this after transactions unless anyone else is willing to work on turning the latest proposal into a patch.
      • This ticket is holding up some of the other tickets on the 4.7 milestone, such as #22037 and #29932, as well as aspects of transactions.
    • Remove customizer support for IE8 – #38021

    Ticket Scrub

    We reviewed tickets with no replies. Many were authored by component maintainers, and as such required only a +1 on the ticket.

    • #36581: Customizer Header Image Control should extend the cropped image control
      • Pending someone volunteering to work on this.
    • #36589: Don’t use localhost in Tests_Image_Header tests
    • #36688: Exit button in customiser only lower third active
      • Not reproducible, needs reporter feedback.
    • #36733: Use a custom customizer section for add-widgets and add-menu-items panels, making this UI pattern reusable in plugins
      • Could use more discussion, but it would be nice to make this code accessible to plugins.
    • #37275: Facilitate creating controls that manipulate settings with object values
      • Low priority, commented accordingly.
    • #37281: Allow non-error notifications to be set for Customizer settings from PHP
      • This might be useful for Twenty Seventeen, depending on the custom color strategy.
    • #37727: Allow for customize control notifications to have extensible templates
    • #37964: Allow customizer controls to be encapsulated by accepting pre-instantiated settings
      • The patch needs to be reviewed.
    • #38077: Facilitating embedding customizer controls outside of sections
      • This will be more useful long-term, but isn’t a priority for 4.7.
    • #38091: Shortcut to collapse current control/section/panel is triggered when it shouldn’t be
      • Could use more opinions on whether this should be in 4.6.2.
    • #38093: WP_Customize_Color_Control – there is no option for transparent color
      • Commented but couldn’t find a duplicate ticket as mentioned in the meeting, does anyone else recall this issue?

    Recent Customize Commits

    Here are the customize-related commits for the past week:

    • [38618]: Customize: Ensure nav menu items lacking a label use the title from the original object.
    • [38624]: Customize: Let static_front_page section be contextually active based on whether there are any pages (including pages added in menus).
    • [38627]: Customize: Remove IE8 access to customizer to discontinue support.
    • [38628]: Customize: Add wp-util as a dependency for customize-controls.
    • [38642]: Accessibility: Fix the Customizer available menu items toggles focus for Safari and VoiceOver.

    Big thanks to those who contributed to patches committed this week: @ryankienstra, @westonruter, @afercia, @ocean90.

    We’re always looking for more contributors; check out the open customize tickets and swing by #core-customize in Slack to get involved. Fun fact: we’re 10 commits away from the 1000th commit that references customize.

    Agenda for 2016-09-26 Meeting

    Our next regularly-scheduled meeting is next Monday, September 26, 2016, 17:00 UTC. Agenda:

    4.7 Projects

    Additional Tickets Needing Attention

    • Customizer notifications – #35210 – needs UX feedback and a patch
    • Customizer UI Contrast/Focus Styles – #29158 – needs UI ideas for focus styles on back buttons

    Ticket Scrub

    • 4.7 Customize tickets sorted by date modified. We’ll discuss everything with no activity in the last week to make sure we’re still on track.
    • We’ll pick a different query to triage each week. For example, bugs awaiting review (need verification).

    We’ll see you next week!

  • Joe McGill 1:40 am on September 23, 2016 Permalink |
    Tags: ,   

    Media Weekly Update (Sept 22) 

    This post serves to jump-start discussion before our weekly check in, which takes place in #core-images on Slack. Our next meeting is Friday, September 23 at 17:00 UTC and the agenda for these meetings include moving priority tasks forward, providing feedback on issues of interest, and reviewing media focused tickets on Trac.

    Summary from last week

    Our last meeting was Friday, September 16 at 19:00 UTC. You can read the entire chat log in the #core-images channel on Slack.

    Attendees: @joemcgill, @paaljoachim, @markoheijnen, @helen, @flixos90, @afercia

    • Unexpected change to media title behavior in WP 4.6.1 (#37989) – This is a regression, which has been partially fixed.
    • Sanitize accents in attachment filenames (#22363)@mike and @markoheijnen were planning to work on #22363 in person this past week and will decide on next steps.
    • Better PDF thumbnails (#31050)@markoheijnen tested out plugins that claim to handle this and found that all suffer from the same “corrupted image” issues that have blocked this ticket. The strategy is to see if we can detect which PDFs will fail and fall back to a default PDF icon when that is the case.
    • Media organization improvements:
      • Make media library searchable by filename (#22744) – This was fixed in [38625].
      • We had a lengthy discussion about the potential for adding a default taxonomy to attachments, including identifying some related tickets that would need to be addressed (e.g., #22938)
      • @paaljoachim shared the results of some research into how non-WP image applications handle media organization in the form of this Google doc.

    Agenda for our next meeting

    This week, we will continue discussion on our priority projects for the 4.7 release. If you have specific tickets that you want to have discussed, feel free to leave a comment on this post or reach out on Slack in the #core-images channel.

    Priority Tickets:

    HTTPS Update: @johnbillion recently posted a call for an HTTPS Working Group on the make/core blog. Meetings will be on Fridays (time TBA).

    • djsteveb 6:33 am on September 23, 2016 Permalink | Log in to Reply

      Glad to see people improving WP’s image things.

      Hope we can get an easy option to set a default limit of how many media appear on the main /media uploads/ or whatever pages. Hope we can also choose to set a default ‘only user XXXX” at first, and perhaps view by user role in the future.

      Currently the browser window will freeze up with some WP installs I run with buddypress – as the default admin screen loads up with all the user’s images and thumbnails, taking a ton of time and memory.

      I mentioned this here:https://make.wordpress.org/core/2016/09/08/media-weekly-update/#comment-31163 but think I got the comment out there too late for anyone to see it.
      Maybe there is a better place to mention these things for future consideration in improvements with wp images ?


      • Joe McGill 2:05 pm on September 23, 2016 Permalink | Log in to Reply

        Hi djsteveb,

        Thanks for the feedback. The best way to bring up enhancement requests or bugs is by filing an ticket on Trac (if one doesn’t already exist addressing the issue you’re experiencing). In this case, it sounds like you may be experiencing the same issue described in ticket #30401. If you could provide feedback on that ticket, that would be helpful.


  • Jeff Paul 8:06 pm on September 22, 2016 Permalink |
    Tags: , ,   

    Dev Chat Summary: September 21 (4.7 week 5) 

    This post summarizes the dev chat meeting from September 21st (agenda, Slack archive).


    • Schedule: As of this meeting, we are 4 weeks from the final chance to merge in major features. This includes Twenty Seventeen.

    Bug Scrubs

    Components & Features

    • Twenty Seventeen (@davidakennedy, @melchoyce)
      • Announcement post, latest update
      • Maintainers are out travelling today, but #core-themes is active and they will be holding a meeting on Friday at 18:00 UTC
    • REST API (@krogsgard, @kadamwhite )
      • Latest update
      • API discussion is at 7 am Pacific on Mondays
      • Settings endpoints and meta support both have first-passes on them, which need internal review and some more testing before we ship
      • We have a path forward for passworded posts (password in the query string, eww, but only viable option), there really isn’t a way we can see to avoid sending them as a query param
      • Meeting tomorrow in #core-restapi at 21:00 UTC to go through open issues around non-trivial, conceptual issues in WordPress. REST API team will prepare summary of issues for component maintainers and/or lead devs to review, question, and help guide discussion towards consensus.
    • Media (@mikeschroder, @joemcgill)
      • Latest update
      • Moving our weekly meetings up to Fridays at 17:00 UTC starting this week
      • Unexpected change to media title behavior in WP 4.6.1 (#37989) – The main issue here was resolved, but there seems to still be some odd behavior affecting words being chopped off filenames with international characters. Could use extra eyes from anyone (along with @sergey) more versed in i18n. Regression on the attachment titles that we generate on upload all became URL encoded instead of reading like a normal title.
      • Media search doesn’t include file name (#22744) – Committed earlier this week. Please report any issues that come as a result.
      • Next step in improving the organization of the media library is to assess both the infrastructure and UI improvements that need to be made here. Prefer to include #design early in this process, rather than asking for UI feedback on development driven decisions, hope to be part of the #design chat agenda tomorrow
    • Customize (@westonruter, @celloexpressions)
      • Latest update
      • In this week’s meeting we developed a schedule for publishing make/core feature proposals/dev notes for the remaining primary 4.7 customize projects, working backward from anticipated time to commit after the proposal and current readiness:
        • Week of 9/19: Improving sliding panels UI (34391, @delawski)
        • Week of 9/26: A new experience for themes in the customizer (37661, @celloexpressions). Please review soon for any requested changes in direction or design.
          • Summary: The existing themes section in the customizer is replaced with a full-screen theme browser and installer… The UI is nearly identical to wp-admin/theme-install.php… The .org-based theme-install previewer is not accessible here because it is likely to cause confusion with its customizer-like interface and the resulting need to switch contexts back and forth… An overarching goal is to avoid switching in and out of the admin/frontend/customize contexts during theme installation and previewing, instead staying in the hybrid customizer context that provides a combination of frontend plus controls… On the technical side, this heavily leverages JS-templated customizer controls and scales nicely to hundreds of themes.
          • Visual:
          • Please comment on the ticket with your feedback as soon as possible, preferably with specific concerns/ideas and reasons.
          • @celloexpressions to check in with @karmatosed on user testing ahead of posting final feature proposal
        • Week of 9/26: Customize transactions (30937, @westonruter evaluating this week and might punt again)
        • Week of 10/3: Code-editing gateways, via CSS (35395, @johnregan3/@celloexpressions). Awaiting approval/feedback on the acceptability/ability to bundle the two proposed libraries in core, with feedback particularly needed from committers and anyone familiar with the Jetpack fork of CSSTidy.
        • Week of 10/10: Customizer browser history (28536, @westonruter)
    • I18n (@swissspidy)
      • User Admin Language (#29783) – almost ready, another review this week and will commit if no blocker pops up
      • Introduce a locale-switching function (#26511) – @ocean90 to do some benchmarking
      • Introduce some JavaScript i18n functions (#20491) – GlotPress side has a solid plugin for exporting translations as JSON files (assistance on testing would be helpful). Still tinkering with the WordPress side and would love to get some additional feedback there.
    • Editor (@azaozz, @iseulde)
      • No updates, but would love to figure out a way to get more user feedback that helps us set direction for the editor. Will look to add some Core questions to annual survey on WordPress.org. Otherwise will start with something in the beta tester plugin, biased audience but it’s one that exists, is more likely to opt-in, and will be more flexible.
    • HTTPS (@johnbillion)

    Open Floor

    • @pbearne on Add filters to wp_new_user_notification and wp_password_change_notification (#38068) – added a set of filters to allow us to override email messages send by the wp_new_user_notification and wp_password_change_notification functions. @johnbillion to review as it relates to work on notifications.
    • @danieliser checking for interest for core in a set of reusable templates, models & functionality for forms, tabs & modals
    • @ericlewis on Bulk actions: Reactivate bulk actions hook + add hander hook for all admin screens (#16031) – could use a review of the latest patch, looking to commit sometime in the next week
    • @dshanske still working through the Pings and Trackbacks component
  • Andrew Rockwell 11:14 am on September 22, 2016 Permalink |  

    Week in Core, September 7 – 20, 2016 

    Welcome back the latest issue of Week in Core, covering changes [38571-38636]. Here are the highlights:

    • 66 commits
    • 61 contributors
    • 171 tickets created
    • 15 tickets reopened
    • 106 tickets closed

    Ticket numbers based on trac timeline for the period above. The following is a summary of commits, organized by component.

    Code Changes



    • Docs: Use a third-person singular verb for wp_doing_ajax filter added in [38334]. [38607] #25669
    • Bootstrap: Use dirname() when loading class-wp-hook.php from plugin.php. [38589] #37707


    • Database: Fall back to utf8 when utf8mb4 isn’t supported. [38580] #37982


    • Add wp-util as a dependency for customize-controls. [38628] #38107
    • Remove IE8 access to customizer to discontinue support. [38627] #38021
    • Let static_front_page section be contextually active based on whether there are any published pages. [38624] #34923, #38013
    • Ensure nav menu items lacking a label use the title from the original object. [38618] #38015
    • CBetter hover/focus state for section titles and available widgets. [38602] #29158
    • Implement previewing of form submissions which use the GET method. [38587] #20714
    • Prevent widget previewing logic from building invalid jQuery selectors when sidebars are registered without a class name in before_widget. [38577] #37993


    • Normalise index names in dbDelta(). [38591] #34874
    • Increase the size of wp_posts.post_password to 255 characters. [38590] #881


    • Docs: Use a third-person singular verb for smilies filter added in [38504]. [38608] #35905
    • Update autop() to match wpautop(). [38594] #4857, #4857
    • Docs: Fix an outdated comment. [38593] #4857
    • Add an extra line break before block elements in wpautop(). [38592] #4857
    • Don’t send an HTTP status code in wp_send_json() by default. This avoids clobbering an HTTP status code that may have been set prior to calling this function. [38576] #35666



    • Correct context for Next/Previous strings in get_the_posts_pagination(). [38611] #37952



    Networks and Sites

    • Multisite: Show always domain and path when deleting a site. [38633] #37309
    • Multisite: Use get_networks() in get_main_network_id(). [38632] #37218
    • Multisite: Provide $join as a possible SQL clause to the sites_clauses filter. [38631] #37922
    • Multisite: Add annotations for extended WP_Site properties. [38630] #37932
    • Docs: Synchronize docblocks for WP_Site_Query::__construct() and get_sites() after the changes in [37735], [38008], [38103], and [38336]. [38596] #38039
    • Docs: Correct description for domain and path arguments in WP_Network_Query::__construct(). [38595] #32504

    Options, Meta APIs

    • Options: Build out register_setting like register_meta. [38635] #37885


    • Ensure Pending Review Posts permalink posts link to the draft [38572] #37423


    • Style the primary action link in the non-js “Installing Plugin” page. [38617] #36430
    • Tests: Use add_filter() when it’s available. [38582] #17817
    • Docs: Fix minor formatting for inline docs in WP_Hook following its introduction in [38571]. [38573] #17817
    • Hooks: Add the new class WP_Hook, and modify hook handling to make use of it. [38571] #17817

    Posts, Post Types




    • Docs: Correct the description of {$taxonomy}_term_new_form_tag hook, making it more consistent with other *_form_tag hooks. [38629] #38104
    • Pass taxonomy name to actions in term-relationship CRUD functions. [38621] #38006
    • Query: Eliminate unnecessary wp_list_filter() call in get_queried_object(). [38586] #37962
    • Query: Avoid PHP notice in get_queried_object() when query contains NOT EXISTS tax query. [38585] #37962


    • Docs: Correct two references to plugins in the $args parameter description for themes_api(). [38623] #37939
    • Docs: Use a third-person singular verb for {$type}_template_hierarchy filter added in [38385]. [38609] #14310
    • Docs: Use a third-person singular verb in the DocBlock summary for get_theme_file_uri(), get_parent_theme_file_uri(), get_theme_file_path(), and get_parent_theme_file_path(), introduced in [38578]. [38606] #18302
    • Docs: Use a third-person singular verb for theme_file_uri, parent_theme_file_uri, theme_file_path, and parent_theme_file_path filters added in [38578]. [38605] #18302
    • Add the non-encoded form of the queried item slug to the template hierarchy when the slug contains non-ASCII characters. [38583] #37655
    • Taxonomy: Revert accidental changes introduced in [38578]. [38579] #18302
    • Improve child theme file inheritance by introducing functions for locating and fetching the URL or path to files within child and parent themes. [38578] #18302


    • Add a ‘View Posts’ link to the toolbar when on the post listing screen. [38634] #34113


    • Docs: Correct a comment and @return entry in WP_Upgrader::create_lock(). [38622] #38089
    • Automatically log users in after installation. [38619] #34084


    • Avoid a PHP notice in ::pingback_ping() if page title was not found. [38620] #36727
    • Check the minimum number of arguments in ::wp_getUsersBlogs() and ::blogger_getUsersBlogs(). [38600] #29750

    Thanks to @aaroncampbell, @adamsilverstein, @afercia, @akibjorklund, @DMing, @BjornW, @boonebgorges, @celloexpressions, @curdin, @danielpietrasik, @dd32, @DrewAPicture, @eliorivero, @enshrined, @ericlewis, @FlorianBrinkmann, @folletto, @georgestephanis, @gma992, @helen, @hideokamoto, @hugobaeta, @ian.edington, @iandunn, @jbrinley, @jeremyfelt, @joehoyle, @joemcgill, @johnbillion, @johnjamesjacoby, @jorbin, @karmatosed, @kitchin, @knutsp, @markshep, @MaximeCulea, @melchoyce, @monikarao, @nacin, @nazgul, @obenland, @ocean90, @paulwilde, @pento, @peterwilsoncc, @RedSand, @rmccue, @rnoakes3rd, @rommelxcastro, @ryankienstra, @ryanplas, @SergeyBiryukov, @skippy, @spacedmonkey, @swissspidy, @Takahashi_Fumiki, @websupporter, @welcher, @westonrute, @westonruter, and @wonderboymusic for their contributions!

  • Felix Arntz 12:23 pm on September 21, 2016 Permalink |
    Tags: , ,   

    Upcoming Multisite Bug Scrubs 

    After the initial multisite bug scrub in the 4.7 release cycle last week, we will continue going through the list of bug tickets this week on Thursday 20:00 UTC, in #core-multisite as usual. The respective report was about bug tickets with the multisite focus that were opened within the last year. We have 8 tickets to go for that report, so we should be able to finish it this week.

    After that, we will continue having regular multisite bug scrubs that are held every Thursday at 20:00 UTC, then focussing on multisite tickets milestoned for the 4.7 release.

    If you aren’t available during the weekly multisite bug scrubs, feel free to leave a comment here or in #core-multisite if you have other tickets you’d like to see covered.

    See you then!

    • Mikel King 7:46 pm on September 27, 2016 Permalink | Log in to Reply

      Wonder why we don’t use a public google calendar (or other iCalnedar based system) to keep track of these meetings?

      For the most part the iCalendar system would keep track of the timezone adjustments and make coordination of multiple meetings easier.

  • John Blackbourn 7:41 am on September 21, 2016 Permalink |

    HTTPS Working Group 

    In WordPress 4.4 and 4.5, various pieces of work were done to improve HTTPS support in core, but not much has been tackled since then. To address this, I’m going to re-start the weekly chats in the #core-http channel in Slack. Fridays late afternoon UTC/GMT are good for me — does this work for other people who are interested in helping with HTTPS issues?

    Although the HTTPS improvements are always ongoing and not tied to a particular release, it would be great to get some improvements into 4.7.

    If you run a WordPress site over HTTPS only, support is very good and there are very few issues to contend with. If you’re running a multisite network on HTTPS there are a few small issues when adding new sites. However, the main HTTPS issues in core come from:

    • Enforcing the HTTPS scheme on assets (such as embedded images in post content, and enqueued JS and CSS).
    • Enforcing the HTTPS scheme on links, redirects, and canonical URLs.
    • Migrating an existing HTTP site to HTTPS.
    • Running a site that uses a mixture of HTTP and HTTPS.

    The first two points — avoiding mixed content on HTTPS sites — need to be solved via an opt-in system (either via constants or filters) because enforcing these can cause issues with sites that run proxies (for example Cloudflare’s Universal SSL). Overall though, this ought to be a fairly straight forward set of enhancements to implement.

    The third point is a potentially complex one which will need a lot of discussion and some ideas putting forward. How can core make life easier for a site owner who wishes to switch their site from HTTP to HTTPS? Should it be a case of being able to change the scheme in the URL on the General Settings screen or is there too much risk of breakage? What else can be done post-migration to aid the site owner, or will the opt-in enhancements for avoiding mixed content be enough?

    The last point is one that, going forward, should be generally discouraged, however it needs to continue to be supported for multisite networks that use domain mapping and can’t serve every domain over HTTPS.

    There’s an https keyword on Trac which has been applied to tickets that concern HTTPS issues. We’ll start going through this list in next week’s chat.

    Here’s a bunch of further considerations that need to be taken into account while working on HTTPS issues:

    • Differing schemes, domains, and ports in the siteurl and home options.
    • Domain mapping
    • force_ssl_admin() usage
    • Self signed certs
    • No public access to admin URLs
    • Different HTTPS domain on front end (!)
    • HTTP site optionally available over HTTPS

    Here’s a list of items that should be considered for enforcing over HTTPS:

    • Enqueued JS and CSS.
    • Post content, images, js, CSS, iframes,srcset, oembeds, forms.
    • How about other fields such as term descriptions, user bios, etc.
    • Force https links. Links to the current site.
    • Force https link in nav menus.
    • Force https redirects and/or canonical.
    • Force HSTS. (Probably not.)
    • Force https rest api endpoint.
    • Force https XML RPC.
    • Set https-only on cookies.

    Let me know in the comments if you’d like to help out and if Fridays are good for the meeting time!

    • jancbeck 9:46 am on September 21, 2016 Permalink | Log in to Reply

      > If you’re running a multisite network on HTTPS there are a few small issues when adding new sites
      As somebody who is intending to do just that in a couple of weeks, may I ask what issues these are?

    • Jeremy Felt 2:36 pm on September 21, 2016 Permalink | Log in to Reply

      16:00 UTC and later would be the best time for me, but phones make anything possible. 🙂

    • Luke Cavanagh 7:01 pm on September 21, 2016 Permalink | Log in to Reply

      I would be interested in helping.

    • thomaswm 9:40 pm on September 21, 2016 Permalink | Log in to Reply

      I’m interested in helping. Fridays should be good.

    • jpresley23 1:41 am on September 22, 2016 Permalink | Log in to Reply

      We’re making the shift from http to https. What would have really helped is saving the urls with just “//” rather than saving the protocol to the database within content. The double slash without the protocol will be interpreted with whatever protocol the site uses. Unless there is backwards compatibility break, using the double slash would be best.

      In general saving urls within the content is problematic. When a site url changes, which happens as we move content from stage to production or move from a development domain to a production domain, we have to scrub the database to find where the development urls are stored.

      • Aaron Jorbin 7:53 pm on September 22, 2016 Permalink | Log in to Reply

        • Mark-k 6:12 am on September 23, 2016 Permalink | Log in to Reply

          just because some guy says it is an anti pattern doesn’t make it one. And if china want to break into any site they will succeed. Those are bad reasons to not solve/ease the core problem by using protocol relative url. In theory a URI is an address of a resource, it should not matter at all by which protocol you want to retrieve iit. Leave the decision to the client to decide what is the best strategy to retrieve it

    • menkom 1:41 am on September 22, 2016 Permalink | Log in to Reply

      Subscribed….. this is a much needed topic of discussion and the transition of http -> https should be improved for WP users

compose new post
next post/next comment
previous post/previous comment
show/hide comments
go to top
go to login
show/hide help
shift + esc
Skip to toolbar