Support » Requests and Feedback » HTTPS for Post Thumbnails

  • Jan Thiel

    (@janpeters)


    Hi guys,

    don’t know how to raise awarness anywhere else, so I try it here.
    Since WordPress 2.9 there is no way to have a clean HTTPS page, because all Thumbnails are only loaded via HTTP.

    That leads to possible security problems as well as a yellow SSL icon in the browser bar.

    The bug is filed for some time now. I keep the patch updated there regularily. But still it is not getting into core …

    https://core.trac.wordpress.org/ticket/20534

    Any advices how to raise attention for this?

    Thanks an brgds

    Jan

Viewing 9 replies - 1 through 9 (of 9 total)
  • kjohnson_2

    (@kjohnson_2)

    My sincerest thanks for your effort!

    I don’t have any helpful advice, though.

    (That’s not completely true. My long-term plan is to switch platforms, that is, away from WordPress, but in the short term your patches help solve my immediate problems. I can’t say if my long-term plan would help you.)

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    Since WordPress 2.9 there is no way to have a clean HTTPS page, because all Thumbnails are only loaded via HTTP.

    The plugin WordPress HTTPS corrects this.

    https://wordpress.org/plugins/wordpress-https/

    I wrote a filter for my hunctions.php in the meantime to resolve this issue. Please note this issue only affects partial https sites. If your base_url and home_url are set to a https domain name, the post thumbnail urls will work correctly.

    Something like below should definitely be in core.

    //Fix SSL on Post Thumbnail URLs
    	function ssl_post_thumbnail_urls($url, $post_id) {
    		//Skip file attachments
    		if( !wp_attachment_is_image($post_id) )
    			return $url;
    
    		//Correct protocol for https connections
    		list($protocol, $uri) = preg_split('@(://)@', $url, 2);
    		if( is_ssl() ) {
    			if( 'http' == $protocol )
    				$protocol = 'https';
    		} else {
    			if( 'https' == $protocol )
    				$protocol = 'http';
    		}
    
    		return $protocol.'://'.$uri;
    	}
    	add_filter('wp_get_attachment_url', 'ssl_post_thumbnail_urls', 10, 2);

    Amended the code above to remove the use of regex. It was adding significant CPU load to pages with decent amounts of images.

    //Fix SSL on Post Thumbnail URLs
    	function ssl_post_thumbnail_urls($url, $post_id) {
    		//Skip file attachments
    		if( !wp_attachment_is_image($post_id) )
    			return $url;
    
    		//Correct protocol for https connections
    		list($protocol, $uri) = explode('://', $url, 2);
    		if( is_ssl() ) {
    			if( 'http' == $protocol )
    				$protocol = 'https';
    		} else {
    			if( 'https' == $protocol )
    				$protocol = 'http';
    		}
    
    		return $protocol.'://'.$uri;
    	}
    	add_filter('wp_get_attachment_url', 'ssl_post_thumbnail_urls', 10, 2);

    Hi guys, just got great news form WordCamp Germany. In one of the sessions I mentioned the HTTPS problem in general and got into discussion with an Automattic guy. He told me that there will be (full?) Core HTTPS support in one of the next WP versions… finally 🙂

    So lets keep our fingers crossed and hacks out of our code 😉

    Greetings from Germany,

    Jan

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    For more information I believe you can read about it here.

    SSL taskforce

    Make/core is a good blog to subscribe to. 😉

    Thx Jan. Yes, you are absolutely correct about subscribing it! So good to see the word is already out 🙂

    hey Matthew just wanted to thank you for the snippet. fixed my problem right away. thanks!

    @ajmancilla Glad to hear I am not the only one with this issue :D.
    @jan Dembowski Thanks for the information on the SSL taskforce. Thats an interesting read.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘HTTPS for Post Thumbnails’ is closed to new replies.