Breaks SSL with static HTTP include

  • In workbox-video-from-vimeo-youtube-plugin/workbox_video.php there is a line of PHP that enqueues jQuery externally from ajax.googleapis.com with a static unsecured (HTTP) URL.
    wp_enqueue_script('jquery', '//ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js');

    I’m not sure that it’s the best practice to include external jQuery libraries when WordPress already include the core jQuery files internally. Regardless, this link breaks the SSL certificate on my site because of a “Mixed Content” error. I fixed this by simply removing the “http:” from the link so that it will dynamically switch from HTTP to HTTPS depending on the URL used to render my site. This may not be the most comprehensive solution, and it is still loading this resource externally when an internal reference might be smarter, but this was my quick fix:
    wp_enqueue_script('jquery', '//ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js');

    Please fix this in the next release so that I can download your updates without breaking my site again!

    Thanks.

    P.S. More stars are awaiting your positive response and resolution ??

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter Eli

    (@scheeeli)

    Sorry, just noticed my typo, your code was actually:
    wp_enqueue_script('jquery', 'https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js');

    My fix was to take the “http:” out so that it would work with SSL:
    wp_enqueue_script('jquery', '//ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js');

    John

    (@kcrnc)

    Yeah just noticed this after it broke one of my sites. Opened a bug on the forums, hopefully he will fix.

    All around wrong…forcing a different non-standard version of jquery is taking on the responsibility that it will not break wordpress or other plugins expecting wordpress’s version.

    Plus it rather nicely breaks SSL sites.

    Plugin Author Workbox

    (@workbox)

    Eli, John, we fixed this. Please try it out!

    Thread Starter Eli

    (@scheeeli)

    Thanks for fixing the issue I originally reported 4 months ago but I am not using the plugin any more.

    I checked out your new code (it’s a little strange that you don’t keep the old versions in the svn repo) anyway, I see you are using wp_enqueue_script to include the stock version of jquery without any custom source URL, that’s good, but I also noticed that your iframe code still has the same problem with breaking SSL certs on a secure site because you are using static ‘https://’ link to vimeo and youtube in the src.

    I mentioned before that you could use ‘//’ to start your links to either http or https dynamically. So, for example your could change your vimeo iframe code to this and it would work on secure and insecure sites:
    $saveArray [‘code’] = ‘<iframe src=”//player.vimeo.com/video/’ . $vimeo_key [0] . ‘?title=0&byline=0&portrait=0&color=6fde9f” width=”‘ . $width . ‘” height=”‘ . $height . ‘” frameborder=”0″ webkitAllowFullScreen mozallowfullscreen allowFullScreen></iframe>’;

    Plugin Author Workbox

    (@workbox)

    Hi Eli, thanks again for your note! We fixed this in the new version of the plugin! Please let us know if you have any questions!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Breaks SSL with static HTTP include’ is closed to new replies.