Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#32552 closed enhancement (fixed)

Use HTTPS for Google API external libraries

Reported by: netweb's profile netweb Owned by: rommelxcastro's profile rommelxcastro
Milestone: 4.3 Priority: normal
Severity: normal Version:
Component: External Libraries Keywords: good-first-bug has-patch
Focuses: Cc:

Description

Via https://developers.google.com/speed/libraries/?csw=1#libraries

"We recommend that you load libraries from the CDN via HTTPS, even if your own website only uses HTTP. Nowadays, performance is fast, and caching works just the same. The CDN's files are served with CORS and Timing-Allow headers and allowed to be cached for 1 year."

Attachments (1)

32552.diff (6.6 KB) - added by rommelxcastro 10 years ago.
move googleapis requests to https

Download all attachments as: .zip

Change History (15)

This ticket was mentioned in Slack in #meta by netweb. View the logs.


10 years ago

#2 @rommelxcastro
10 years ago

  • Keywords has-patch added; needs-patch removed

hey guys, here's a patch from WCOC contributors

@rommelxcastro
10 years ago

move googleapis requests to https

#3 @netweb
10 years ago

  • Milestone changed from Awaiting Review to 4.3

Thanks for the patch WordCamp Orange County :)

Last edited 10 years ago by netweb (previous) (diff)

#4 @obenland
10 years ago

  • Owner set to rommelxcastro
  • Status changed from new to assigned

#5 follow-up: @netweb
10 years ago

The current patch 32552.diff​ includes Google Fonts i.e. https://fonts.googleapis.com, in the original linked reference the only documented libraries are for the JavaScript libraries: https://developers.google.com/speed/libraries/?csw=1#libraries

Should we only do the JavaScript libraries for now until Google officially documents the same for Fonts?

Just to note that loading Google fonts via HTTPS works just fine, just wanted to raise the point for discussion

#6 in reply to: ↑ 5 @peterwilsoncc
10 years ago

Replying to netweb:

Should we only do the JavaScript libraries for now until Google officially documents the same for Fonts?

The recommendation by Google is to avoid man-on-the-side attacks, fonts are susceptible so given it works then I think they can be actioned now. The font servers include the relevant headers.

#7 @obenland
10 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 32843:

Use https for Google API external libraries.

Google recommends it and users are more likely to have the https version cached in their browser already.

Props rommelxcastro.
Fixes #32552.

#8 @nacin
10 years ago

+100

#9 follow-up: @dorianmuthig
10 years ago

  • Keywords needs-patch dev-feedback added; has-patch removed
  • Resolution fixed deleted
  • Severity changed from normal to critical
  • Status changed from closed to reopened
  • Type changed from enhancement to defect (bug)
  • Is inappropriate change
  • Has security implications

As per comment on GitHub: https://github.com/WordPress/WordPress/commit/81df9bffc5ffdda9cd7c16dadef21b574f9ee922#commitcomment-11859945 (most recent code change that is relevant to the issue described)

Please make a change and do not load libraries from external sources. This centralizes the failure point and enables the external provider to track all visitors, or worse, inject code in a targeted manner via referrer, domain, IP and public cookie matching. Please include these resources locally with the wordpress installation and make using the local copy the default. In case you'd like to provide users with the option to use a CDN, please do it in a manner which allows and encourages those managing multiple wordpress installations to 1. use their own, 2. verify the script loaded is the right one (lazy load it with JavaScript and verify a checksum) and 3. avoid leaking user's browser behavior to third parties.

#10 in reply to: ↑ 9 @ocean90
10 years ago

  • Keywords has-patch added; needs-patch dev-feedback removed
  • Severity changed from critical to normal
  • Type changed from defect (bug) to enhancement

Hello dorianmuthig, I have no idea how your concerns are related to the change to switch existing libraries to HTTPS. Please do not hijack tickets like this. There are already some tickets related to your concerns like #31801 or #26072, so feel free to comment on these ones.

Closing this one as fixed again since the original enhancement has been done.

#11 @netweb
10 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

#12 follow-up: @dorianmuthig
10 years ago

I was told to. See comments on GitHub.

#13 in reply to: ↑ 12 @netweb
10 years ago

Replying to dorianmuthig:

I was told to. See comments on GitHub.

Indeed you were directed here as this was the source of that change you commented on at GitHub, though as Dominik pointed out above the issue you have is not related to this issue and is related more to the tickets he linked, hopefully we have steered you to the best place where your feedback will be welcomed :)

#14 @dorianmuthig
10 years ago

I commented on that change on GitHub, because not only is it the latest relevant change, but the most complete collection of changes which relate to the issue I described. As such, it is the most appropriate place to make the issue known. It also means, that the change, which was made as a result of this very enhancement request was a very inappropriate thing and should instead have resulted in further consideration for the original intention of bundling said external resources instead. It cannot be that time is wasted on such an "enhancement", but no effort is made towards bundling or not using the external resources (applicable to fonts) at all, if that was what was intended and should've been done over a year ago.
As such, my commenting on and "hijacking" this "enhancement" request wasn't actually out of place at all, all things considered.
Making a WordPress installation or upgrade package download 6MB larger is hardly an issue anymore, today.

Note: See TracTickets for help on using tickets.