We’re hoping to make many improvements relating to SSL/HTTPS support in 4.0. Several fixes have already gone in over the last couple of weeks, and several are in progress.
Below is an ad-hoc list of SSL related bugs and potential enhancements that I’ve experienced in one way or another. Please leave a comment with details of other SSL related issues you are aware of (whether they’re already in Trac or not). I’m going to be tackling as many issues as possible for this release. We may or may not find some time to discuss some of this during tonight’s dev meeting.
Issues with HTTP front end and an HTTPS backend
Customiser previews break, site is requested over http
‘url’ and ‘return’ links in customiser have incorrect scheme
Media inserted into posts gets the incorrect scheme
GUIDs use the admin scheme
Network admin, some mixed http/https issues – #14867, #27499
Idea: filter to enable plugins to specify URLs / post IDs / paths which should be forced to https?
Idea: filter to enforce front end over http? (excluding urls from above filter)
Arguments in favour of a front-end ajax handler: x-domain and x-protocol issues with domain mapping
General issues with HTTPS on front end
Should we force https scheme on local content in post content, post excerpt, comment text, etc?…
Should we force https scheme using canonical? – fixed – #27954
Should we force https scheme for enqueued local scripts/styles?
General issues with HTTPS backend
Mixed content in the editor – can we force https scheme for local content? What about CDNs etc?
XML-RPC does not enforce https – looks like a wontfix – #28424
Theme thumbnails aren’t loaded over https – fixed
General HTTPS issues
No support for secure oEmbeds
wp_get_attachment_url() doesn’t respect scheme – #15928
HSTS – not something core should do – could be enabled with a filter but not enabled by default
“Update siteurl and home as well” on network admin loses https scheme
Issues specifically with HTTPS everywhere
Not all cookies have secure flag set – #28427