WordPress.org

Ready to get started?Download WordPress

Forums

SSL Insecure Content Fixer
[resolved] SSL Insecure Needs 3.5 Compatibility? (20 posts)

  1. Jason
    Member
    Posted 1 year ago #

    BTW, I have loved using this plugin. Fixed all my SSL issues before; however, after updating to WP 3.5 all my SSL issue are back! I'm guessing others will start having this issue once they upgrade? Can any one else confirm?

    http://wordpress.org/extend/plugins/ssl-insecure-content-fixer/

  2. webaware
    Member
    Plugin Author

    Posted 1 year ago #

    G'day Jason,

    I did actually test the plugin with WP 3.5 (since beta1) and all is working OK for me. Can you provide me a link to your website so that I can look at what is triggering the problem? It could be a specific plugin or theme issue.

    You can find out which files are causing problems by opening Google Chrome's developer console, which lists the files blocked as insecure content.

    cheers,
    Ross

  3. Jason
    Member
    Posted 1 year ago #

    Thanks Ross, unfortunately this site is internal. But I did do a console view from inspect element and it was showing that the pages were trying to load http files instead of https. I went to the theme and found it was loading the location thus:

    <link rel="stylesheet" type="text/css" href="<?php bloginfo('stylesheet_url'); ?>" media="screen" />
    <link rel="stylesheet" type="text/css" media="all" href="<?php bloginfo('template_directory'); ?>/css/effects.css" />

    Our IT department did a roll back so we are back to 3.4.2 and everything is working again. The theme has always been loading the files this way so I'm not sure why going to 3.5 changed anything. I unfortunately don't have access to the db so I can't look to see where all the stored http values are, which is why I've been using this plugin :)

    I've checked all sorts of settings like making sure home and site url specify the https but it wouldn't take and I ended up in a loop when I tried to force admin ssl through the wp-config.php file.

    Since we are back to the old version I can't really look into this more. But thanks for your speedy reply!

  4. webaware
    Member
    Plugin Author

    Posted 1 year ago #

    G'day Jason,

    That sounds like a regression in WP 3.5, as those two bloginfo() calls should be returning https links. I'll take a look and maybe submit a bug with WordPress.

    cheers,
    Ross

  5. webaware
    Member
    Plugin Author

    Posted 1 year ago #

    @Jason: I just tried this in a test install, and it worked fine (without my plugin). I think there's something else going on with your website. Perhaps when you get some time, set up a development copy and upgrade to WP3.5, then turn off all plugins and see if it still has the problem.

    cheers,
    Ross

  6. PageWood
    Member
    Posted 1 year ago #

    I've also seen this issue with 3.5. It seems that 3.5 is not taking https into account on all of the links.

  7. webaware
    Member
    Plugin Author

    Posted 1 year ago #

    @pwood: are you able to provide a link to an example site? Have you been able to pinpoint where a WordPress function isn't taking SSL into account?

    For all the basic recommended practices (e.g. plugins_url(), get_template_directory_uri(), get_stylesheet_directory_uri()), it seems to work OK.

  8. PageWood
    Member
    Posted 1 year ago #

    Taking a quick look, I see that these are not taking SSL into account:

    bloginfo( 'stylesheet_url' )
    
    get_template_directory_uri()
    
    plugins_url()

    The site is https://thebowserreport.com. Currently you will see some of the scripts/stylesheets loaded twice in the head. I hardcoded a few in as a fall back for Google Chrome users who don't tell chrome to display insecure files.

    I submitted a bug report to WordPress about this earlier today. Hopefully I was specific enough... I had these issues when I switched to the default twenty-eleven theme with no plugins too. Even the files bundled with WordPress such as the jquery script and Admin css files are loaded as HTTP.

  9. webaware
    Member
    Plugin Author

    Posted 1 year ago #

    @pwood: bloginfo('stylesheet_url'), get_stylesheet_directory_uri() and plugins_url() all ultimately should be calling is_ssl() to determine the protocol scheme to use. It's possible that there's a bug in the twisted logic of set_url_scheme() that is in the mix there somewhere, but I reckon the most likely problem is that your server isn't passing on one of the server variables that WordPress is expecting to help it identify an SSL connection.

    Can you please drop this (only this) into a .php file and run on your server, then tell me what values you get for _SERVER['HTTPS'] and _SERVER['SERVER_PORT']?

    <?php
    phpinfo();
    ?>
  10. webaware
    Member
    Plugin Author

    Posted 1 year ago #

    @pwood: perhaps you can send me a link to that phpinfo() page on your server, via my contact page.

  11. PageWood
    Member
    Posted 1 year ago #

    @webaware just sent you the link!

  12. webaware
    Member
    Plugin Author

    Posted 1 year ago #

    @pwood: right, your server is hidden behind a load balancer or other forwarding service that isn't passing any information about the protocol/port used to access it externally; there is no _SERVER['HTTPS'], and _SERVER['SERVER_PORT'] says port 80 which is the regular, non-SSL port for HTTP.

    In some such situations, like Amazon's ELB servers apparently, you get an additional server variable _SERVER['HTTP_X_FORWARDED_PROTO'] which has the value "https" when accessed over SSL. But your server doesn't have that either. Frankly, I can't see anything in your phpinfo() output that
    indicates that you were accessed via SSL.

    You're going to have to talk to your host about this. They probably have a simple configuration they can set (or tell you how to set) that will let you detect SSL. See this answer on Stack Overflow and maybe tell your host about it. If they can't just set _SERVER['HTTPS'] then maybe we can write a simple plugin that uses the set_url_scheme filter to kludge it up :)

  13. PageWood
    Member
    Posted 1 year ago #

    Good old Network Solutions. This could be interesting with them.... Thanks so much for your help though!!!!! Many many thanks.

  14. webaware
    Member
    Plugin Author

    Posted 1 year ago #

    Oh dear, this doesn't sound good. I'll see if I can kludge something up using that filter.

  15. PageWood
    Member
    Posted 1 year ago #

    According to Network Solutions, there is code that must be placed in the wp-config file to fix this, and they would be happy to share this with me if I paid for their "My Time Support."

  16. webaware
    Member
    Plugin Author

    Posted 1 year ago #

    Well, I guess you could pay them for their "My Time Support", or you could just drop this gist into your plugins folder and enable it, then set your site URL to use https://

    https://gist.github.com/4688802

    What is does is test to see if your site URL is set to https, then it sets _SERVER['HTTPS'] so that is_ssl() detects the page as SSL.

    NB: it will always detect the connection as SSL, if you set your site URL to https!

  17. PageWood
    Member
    Posted 1 year ago #

    That is AWESOME! Everything is fully secure thanks to that line of code and your insecure content plugin. Thanks so much! What do I owe you?

  18. webaware
    Member
    Plugin Author

    Posted 1 year ago #

    @pwood: I just updated that plugin so that it automatically adds the JavaScript to redirect your page when it loads over http instead of https. NB: this isn't fool-proof! However, it should catch most situations, an exception being someone who disables JavaScript and then edits the URL to force it back to http.

    You owe me: a nice act that helps someone else out, whenever the occasion arises :)

  19. Jason
    Member
    Posted 1 year ago #

    Hey! I'm back :) I updated to WordPress 3.5.1 today and all the stuff I talked about in the original post happened again. HOWEVER, I put in the plugin you referenced at github and everything works great. Thanks so much!

  20. webaware
    Member
    Plugin Author

    Posted 1 year ago #

    G'day Jason,

    Excellent, good to hear all is well now.

    cheers,
    Ross

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.