WordPress URL generation

  • Is basically broken. Specifically it tries too hard to generate absolute URLs all the time and more often than not, it gets them wrong.

    I have a site which is hidden behind a proxy server. The WP machine is running a vanilla PHP install on Apache with no SSL cert. The reason being that the blog is but one server in a cluster of many different machines with different jobs all living under a common domain (call it https://www.example.com). There is a NGINX server in front of everything handling routing based on url paths. The NGINX handles the SSL encryption and then communicates with backend servers using http. Works fine.

    However – this means that the WP installation thinks it is operating under http rather than https. Any test of headers in any code comes up with protocol http and not https. So any absolute URLs generated such as for style sheets and JS files are being generated with a big fat http: in front and conservative browsers like Chrome are declining to load them as they are viewed as potential security threats. Many themes and plugins are written to only exacerbate the problem but for many it isn’t their fault exactly since they are relying on calls like get_stylesheet_directory_uri() which returns an http: prefixed string on our nifty https: served blog.

    In order to fix our site I did the following modifications to various files in wp-includes. I found where the URL was about to be written and I stripped the protocol off of it using something like

    $baseurl = ltrim(self::$baseurl,’htpsHTPS:’);

    which crudely strips off any leading http/https protocol. The reason this is OK is because RFC 3986 part 4.2 allows for protocol-less or protocol relative URLs. So instead of https://www.example.com it is fine to use //www.example.com and the browser will use whatever protocol was used to fetch the parent page. If WP were to generate these sorts of URLs, wacky plugins like https://www.ads-software.com/extend/plugins/wordpress-https/ would be totally unnecessary.

    Please update WordPress to use protocol-relative URLs. Trying to “guess” the unguessable and getting it wrong is just inviting all sorts of security holes. A developer should feel confident that if he has secured his server, then all his resources will be secured by default.

Viewing 3 replies - 16 through 18 (of 18 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Basically it is designed for amateurs who edit and develop things live on their one copy.

    Ha! That’s funny and many small online companies such as CNN, NY Times, the whole family of CBS Network news sites, many universities, some financial companies, etc. wouldn’t think much of that statement.

    Again we disagree. ??

    Professional organizations generally have multiple servers for development, staging, and production and thus pages may be accessed via different server names, behind proxies, and etc….. Code moves form dev to staging for approval and ultimately is placed before the public on production.

    Yes they do.

    How is that different from running and developing WordPress new releases, testing and QA’ing it to great length, and then when it’s cooked releasing it?

    If you haven’t already done so you really should take an informed look at the Make:WordPress sites as well as the Core trac site.

    Look at the collaboration and how it’s all developed. In comparison to corporate shops it’s really refreshing to observe. In “Professional organizations” releases have been made because someone put their foot down and cowed the other developers to tow the line. A manager makes a decisions and that’s produced some really horrific products.

    It of course does not happen all the time but many organizations have released brown paper bag code.

    But the way WordPress is developed really is collaborative and it’s constantly moving to a better “product”. It’s successful and what was once a simple blogging tool is developing over time into a robust platform.

    That’s far and away from the URL generation topic you posted months ago. ?? But as Esmi stated you or anyone really can submit a patch. If it’s good it will move up. If it doesn’t pass then the patch will not be accepted.

    Ha! That’s funny and many small online companies such as CNN, NY Times, the whole family of CBS Network news sites, many universities, some financial companies, etc. wouldn’t think much of that statement.

    It IS designed for amateurs. Those companies you name have probably undergo heavy modifications to the WP code to make it perform as they want. They won’t apply your updates as they are available. And I don’t think they will give the community anything back any time soon.

    So stop saying that big companies find the WP code perfectly suitable for their needs. It is just self-contempt.

    I do like WP as a project, but it has flaws (like the URL generation) that are not being addressed. This leads to modified WP code, which leads to updates not being applied, which leads to a poor WP experience.

    It IS designed for amateurs.

    I beg your pardon! As a professional developer for the past 12 years, I’m trying really hard not to take exception to that. And I very much doubt that I am the only one…

    Those companies you name have probably undergo heavy modifications to the WP code to make it perform as they want.

    No. They all all Autommatic VIP clients using WordPress at an enterprise level.

    If you don’t like WordPress “as is” either don’t use it or get involved and start submitting your own patches. Standing on the sidelines throwing insults is just childish.

Viewing 3 replies - 16 through 18 (of 18 total)
  • The topic ‘WordPress URL generation’ is closed to new replies.