#28521 (FORCE_SSL constant for really forcing SSL) – WordPress Trac (original) (raw)
#28521 assigned enhancement
| Reported by: | |
Owned by: | |
|---|---|---|---|
| Milestone: | Future Release | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | needs-patch https |
| Focuses: | Cc: |
Previously: #27954.
As per this post on make/core and its comments, we should introduce a new constant which becomes the iron-fisted ruler of HTTPS, imposing its might everywhere it can.
If this constant is set, we will:
- Force
httpsconnections (pretty much covered by #27954) - Force local URLs within content to
https - Force local enqueued scripts and styles to
https - Force non-local enqueued scripts and styles to
https - Set the
secureflag on all cookies
What we won't do:
- Force non-local URLs within content to
https - Force the
httpsversion of oEmbeds just yet - see #28507 - Send an HSTS header - see #28520
What I'm not sure on:
- Should we force
httpsconnections for XML-RPC? See #28424.