[wp-trac] [WordPress Trac] #15928: wp_get_attachment_url does not check for HTTPS

WordPress Trac wp-trac at lists.automattic.com
Fri Oct 14 17:01:32 UTC 2011


#15928: wp_get_attachment_url does not check for HTTPS
-------------------------------------------------+-----------------------
 Reporter:  atetlaw                              |       Owner:  marfarma
     Type:  defect (bug)                         |      Status:  accepted
 Priority:  normal                               |   Milestone:  3.3
Component:  Permalinks                           |     Version:  3.0.3
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch needs-testing 2nd-opinion  |
-------------------------------------------------+-----------------------
Changes (by marfarma):

 * cc: marfarma (added)
 * keywords:  has-patch needs-testing => has-patch needs-testing 2nd-opinion
 * status:  new => accepted
 * owner:   => marfarma


Comment:

 If you're running admin under SSL, when you add an image or media to a
 post with "Insert into post", the <img src> will be an HTTPS URL because
 wp_get_attachment_url returns HTTPS when called in an SSL context.

 The public then viewing the site over HTTP will encounter HTTPS links. If
 you are using a self-signed SSL certificate they'll get broken images in
 most browsers.  I'm not sure if this is queued up for the 3.3 release,
 since it's not committed.

 But whenever it's released, there should be an active decision to proceed.
 Either actively decide to proceed - and warn users of self-signed
 certificates, or fix the newly created 'insert into post' issue -
 potentially through content_save_pre and content_edit_pre filters.  See my
 related discussion here:
 https://plus.google.com/u/0/110903788122203327516/posts/EbgeoAKNVQd?hl=en

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/15928#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list