• Resolved nerik73

    (@nerik73)


    Hello,

    I’m running WordPress 5.4.1 with WPFC version 0.9.0.6.

    Ispecting my homepage html code, I’ve noticed WPFC added a link to cached minified CSS like this:

    <link rel="stylesheet" type="text/css" href="//www.mysite.com/wp-content/cache/wpfc-minified/7n961le9/3xz82.css"...

    I don’t want WPFC uses relative protocol url syntax for security reasons…so I would prefer something like:

    <link rel="stylesheet" type="text/css" href="https://www.mysite.com/wp-content/cache/wpfc-minified/7n961le9/3xz82.css"...

    (with the absolute https:// protocol path)

    How can I do this?

    Thanks,
    Riccardo

    • This topic was modified 6 years, 1 month ago by nerik73.
    • This topic was modified 6 years, 1 month ago by nerik73.
Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Emre Vona

    (@emrevona)

    you cannot do it. why do you want this?

    Thread Starter nerik73

    (@nerik73)

    It could be a security risk, that’s the reason why I would like to fix it.

    https://sitebulb.com/hints/security/loads-page-resources-using-protocol-relative-uris

    Plugin Author Emre Vona

    (@emrevona)

    nonsence!

    Thread Starter nerik73

    (@nerik73)

    Sorry Emre, but I think you are just understimating a possible security issue on your plugin.

    Of course, this precise technical aspect could be debatable…but I don’t see any “nonsense” here…when WordPress is free to choose in between http and https there’s always a potential risk. (See what’s happening about “mixed content” security warnings too).

    Why don’t you offer a simple configuration option so that anyone can decide this behaviour on his own website?

    Looking forward your feedback about my proposal, thank you.

    Plugin Author Emre Vona

    (@emrevona)

    because I think it is unnecessary. Our motto is “the fastest and the easiest” plugin. I don’t wanna show some unnecessary settings to my customers.

    Thread Starter nerik73

    (@nerik73)

    I think your plugin IS and ALWAYS WILL BE “the fastest and the easiest”.

    That’s the reason why I’m choosing yours for all my websites. And this is also the reason I’m writing on this forum and not on a competitor’s one! 🙂

    But adding a very simple but useful option (for “worried” people like me or for anyone else who wants to better his own website security score) i think it would be a huge “plus”. Nobody would complaint about it, I’m confident about that.

    “More secure” doesn’t mean “more complicated”. We’re talking about a check-box and probably a php ternary operator usage in a couple of place inside your code.

    Try to make some research on the web, Emre: you will find a lot of security auditing tools who care about this aspect and also a lot of people saying that, wherever is possible, everyone should use “https” instead relative protocol.

    This is another very interesting resource:
    https://webhint.io/docs/user-guide/hints/hint-no-protocol-relative-urls/

    I know you could be busy with thousands of other things to do…but I don’t think you should ignore this issue at all…please save it in your to-do list!! 😉

    • This reply was modified 6 years, 1 month ago by nerik73.
Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Relative protocol url for minified cached css’ is closed to new replies.