Mixed content when I enable SSL

  • Resolved EastDevonAlliance

    (@eastdevonalliance)


    7 years, 6 months ago

    The plugin creates Mixed Content browser content errors when loaded using SSL.

    This is because the code in os-integration.php creates absolute URL references in the link HTML tags; e.g.:

    <link rel=”icon” type=”image/png” href=”<?php echo osintegration_getOption( ‘img_square_196’, $options ); ?>” sizes=”196×196″>

    Ideally WordPress would provide a function like “wp_enqueue_icon” to do this, but AFAIK it doesn’t.

    I would suggest that you need a wrapper function (like “osintegration_getUrl($option, $options = null)” ) which tests whether the returned string starts with http://yourdomain.com or https://yourdomain.com and if it does it replaces the protocol with the one used for the current web page.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Greg Ross

    (@gregross)

    7 years, 6 months ago

    Or you could just regenerate the icons which will then be updated with the correct absolute URL.

    Since moving to SSL is usually a one time event I didn’t want to add the overhead of checking for it on every page load.

    Thread Starter EastDevonAlliance

    (@eastdevonalliance)

    7 years, 6 months ago

    No – only part of the site is SSL, so I can’t just regenerate the icons.

    And there is no real overhead. No database calls, no redirects – you just need to get the protocol and domain for the current website once, and create an alternative with SSL flipped, and then if the link starts with the same string you do nothing, and if it equals the alternative you flip it.

    Its a tiny amount of CPU to achieve this.

    Otherwise, the icons just won’t work on some browsers.

    Plugin Author Greg Ross

    (@gregross)

    7 years, 6 months ago

    Security best practice these days is to enable SSL on all your pages.

    You could generate the icons with SSL and they would work on both of course.

    Thread Starter EastDevonAlliance

    (@eastdevonalliance)

    7 years, 6 months ago

    Well, most wordpress admins won’t spot the problem themselves and will not know that there is a problem with their SSL implementation until an end user spots that they are not getting a padlock symbol and reports it rather than simply going elsewhere to buy products.

    I know that this is a free plugin, and support is therefore on a best efforts basis – and I would certainly understand if you said you didn’t have the time to fix this straight away, but I would certainly rather have a proper fix than an undocumented workaround.

    Would it help if I code the fix for you?

    Thread Starter EastDevonAlliance

    (@eastdevonalliance)

    7 years, 6 months ago

    Oh – and security best practice does NOT require you to use SSL on every site. Security best practice is to use SSL whenever a web site has a logon or is holding personal data, but when it is public information you are displaying with no passwords or personal data, it is nowhere near as important.

    Plugin Author Greg Ross

    (@gregross)

    7 years, 6 months ago

    That’s old security best practice, these days, with the amount of information leaded just in HTTP headers, all sites should be fully SSL enabled.

    Most WP Admins will just enable SSL on their entire site and never see the difference, those that go to mixed sites are typically more savvy and will work out the difference.

    I’ll add a FAQ question about it so it gets documented, but I don’t intend to add or support a mixed site environment with this plugin.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Mixed content when I enable SSL’ is closed to new replies.

Tags