WordPress.org

Ready to get started?Download WordPress

Forums

HTTPS for Post Thumbnails (10 posts)

  1. Jan Thiel
    Member
    Posted 5 months ago #

    Hi guys,

    don't know how to raise awarness anywhere else, so I try it here.
    Since WordPress 2.9 there is no way to have a clean HTTPS page, because all Thumbnails are only loaded via HTTP.

    That leads to possible security problems as well as a yellow SSL icon in the browser bar.

    The bug is filed for some time now. I keep the patch updated there regularily. But still it is not getting into core ...

    https://core.trac.wordpress.org/ticket/20534

    Any advices how to raise attention for this?

    Thanks an brgds

    Jan

  2. kjohnson_2
    Member
    Posted 5 months ago #

    My sincerest thanks for your effort!

    I don't have any helpful advice, though.

    (That's not completely true. My long-term plan is to switch platforms, that is, away from WordPress, but in the short term your patches help solve my immediate problems. I can't say if my long-term plan would help you.)

  3. Since WordPress 2.9 there is no way to have a clean HTTPS page, because all Thumbnails are only loaded via HTTP.

    The plugin WordPress HTTPS corrects this.

    https://wordpress.org/plugins/wordpress-https/

  4. chaoix
    Member
    Posted 3 months ago #

    I wrote a filter for my hunctions.php in the meantime to resolve this issue. Please note this issue only affects partial https sites. If your base_url and home_url are set to a https domain name, the post thumbnail urls will work correctly.

    Something like below should definitely be in core.

    //Fix SSL on Post Thumbnail URLs
    	function ssl_post_thumbnail_urls($url, $post_id) {
    		//Skip file attachments
    		if( !wp_attachment_is_image($post_id) )
    			return $url;
    
    		//Correct protocol for https connections
    		list($protocol, $uri) = preg_split('@(://)@', $url, 2);
    		if( is_ssl() ) {
    			if( 'http' == $protocol )
    				$protocol = 'https';
    		} else {
    			if( 'https' == $protocol )
    				$protocol = 'http';
    		}
    
    		return $protocol.'://'.$uri;
    	}
    	add_filter('wp_get_attachment_url', 'ssl_post_thumbnail_urls', 10, 2);
  5. chaoix
    Member
    Posted 1 month ago #

    Amended the code above to remove the use of regex. It was adding significant CPU load to pages with decent amounts of images.

    //Fix SSL on Post Thumbnail URLs
    	function ssl_post_thumbnail_urls($url, $post_id) {
    		//Skip file attachments
    		if( !wp_attachment_is_image($post_id) )
    			return $url;
    
    		//Correct protocol for https connections
    		list($protocol, $uri) = explode('://', $url, 2);
    		if( is_ssl() ) {
    			if( 'http' == $protocol )
    				$protocol = 'https';
    		} else {
    			if( 'https' == $protocol )
    				$protocol = 'http';
    		}
    
    		return $protocol.'://'.$uri;
    	}
    	add_filter('wp_get_attachment_url', 'ssl_post_thumbnail_urls', 10, 2);
  6. Jan Thiel
    Member
    Posted 1 month ago #

    Hi guys, just got great news form WordCamp Germany. In one of the sessions I mentioned the HTTPS problem in general and got into discussion with an Automattic guy. He told me that there will be (full?) Core HTTPS support in one of the next WP versions... finally :-)

    So lets keep our fingers crossed and hacks out of our code ;-)

    Greetings from Germany,

    Jan

  7. For more information I believe you can read about it here.

    http://make.wordpress.org/core/2014/06/11/ssl-taskforce/

    Make/core is a good blog to subscribe to. ;)

  8. Jan Thiel
    Member
    Posted 1 month ago #

    Thx Jan. Yes, you are absolutely correct about subscribing it! So good to see the word is already out :-)

  9. ajmancilla
    Member
    Posted 1 month ago #

    hey Matthew just wanted to thank you for the snippet. fixed my problem right away. thanks!

  10. chaoix
    Member
    Posted 1 month ago #

    @ajmancilla Glad to hear I am not the only one with this issue :D.
    @Jan Dembowski Thanks for the information on the SSL taskforce. Thats an interesting read.

Reply

You must log in to post.

About this Topic