Issue metadata
Sign in to add a comment
|
Issue 505268: Forcing Wordpress sites to use https even when not directed
Reported by
sa...@spunmonkey.com,
Jun 28 2015
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36 Steps to reproduce the problem: 1. Attempt to log into any self-hosted wordpress site What is the expected behavior? Should be redirected to the standard http dashboard url http://site.com/wp-admin unless an SSL is installed and otherwise directed to use the installed SSL via a plugin or htaccess. What went wrong? Users are force redirected to httpS instead of http, regardless of htaccess or plugin directives. Even on sites that have never used https. Did this work before? Yes Stable version 43. Chrome version: 44.0.2403.61 Channel: beta OS Version: OS X 10.10.4 Flash Version: Shockwave Flash 18.0 r0 Clearing cache/history, incognito mode, clearing from HSTS-- none fix the problem. The only fix I've found is to roll back to v43. Jun 29 2015,
Retriaging to available. Can you please provide a chrome://net-internals log, as per https://dev.chromium.org/for-testers/providing-network-details ? This will help detail why you're being redirected. Jun 29 2015,If there's a particular URL you could provide that I could take a look at, I'd like to check if this is the `HTTPS` header we've started sending in 43. Jun 29 2015,There is another behavior that might be related to this https forced redirection. Take a look at this site: http://prestazilla.org/wordpress/butterfly/ When I access it with 44.0.2403.61 beta there are stylesheets and scripts that are converted to https protocol, so it basically it ends up being displayed without styles. Jun 29 2015,re: #4 above - yes, that is also a symptom. Jun 29 2015,re: #3) I don't really want to publicly post the login pages for live sites, can I email one? Jun 29 2015,
Certainly sounds like my fault, then. Assigning to myself. Do you see the same behavior in Canary or Dev channel (45)? Or just in Beta (44)? sarah@: I'll poke at the butterfly link cata.rock provided. If I can't reproduce it there, I'll ask you for some more detail. Jun 29 2015,
Mike: Removing the Cr-Internals-Network-SSL layer - sounds like this should be triaged through blink. If you do think it's something SSL-y, please make sure yourself (or reporters) adds net-internals. ta :) Jun 29 2015,
Jun 29 2015,Modified (removed site url) net-internals attached. Jun 30 2015,Chrome beta send a new header : HTTPS:1 it breaks woocommerce check for https, so a connection to the http version will try to load assets with https (and possibly breaks the website is https is not supposed to be supported). $_SERVER['HTTP_HTTPS'] is set to 1 due to the header. https://plugins.trac.wordpress.org/browser/woocommerce/trunk/woocommerce.php#L382 Jul 2 2015,I'm having the same issue, is there something that I could do to help? Like a log file or something? It happens inside Chrome 45.0.2438.3 dev-m (64-bit) and also Canary 45.0.2445.0 canary (64-bit) Inside a Virtual Machine using Windows 7 and Chrome this is not happening. Jul 2 2015,mkwst@chromium.org: I would assume this report is related to issue #495991 (https://code.google.com/p/chromium/issues/detail?id=495991) As you seemed to have alluded to. For what it is worth, the implementation of `Upgrade Insecure Requests` looks to be done per specifications and the software listed as being affected simply responds incorrectly to the HTTPS header: https://github.com/woothemes/woocommerce/issues/8479 . So the onus seems to be more on the responding servers or software to carry their end of the bargain if the draft protocol is going to be used on the client-side. If it is helpful, attached is the behavior in a net-internals log. Jul 7 2015,We are having the same issue with a wordpress site. It happens with chrome 44.0.2403.61 [beta m] win 7. First you only see the navigation tree (pure without css and everything)and if you click a link you will get error messages that the connection ist not save and that the server certificate doesnt correspond with the url. Jul 7 2015,I'm using Chrome Version 44.0.2403.61 beta (64-bit) on Mac and I can confirm this is a really annoying bug! I own a self hosted website powered by nginx and when I try to access it I'm redirected to https, I don't even have a SSL certificate installed on the server and my website is throwing impossible errors on the developer's panel. I've been experiencing this issue with a lot of wordpress websites and blogs I usually read. I first started digging on nginx as I thought it was a sever-side malfunction until I searched for this issue and landed here. I hope it get solved soon. Unfortunately I'll have to stop using my favorite browser until this issue is solved on a next update. Chrome 32 bit is out of question, I just can't use it anymore, performance is incredible poor. Jul 9 2015,Same here on chromeos beta channel. If i view the web page source it's changed and every http link (for css, js and so on) is rewritten as https and usually not found. Jul 14 2015,It looks like it's fixed in 44.0.2403.81. Jul 14 2015,re: #20 You have any indication this was actually removed (e.g., another issue, pull request)? I am still seeing this `HTTPS: 1` header set in Version 46.0.2455.0 canary (64-bit). Jul 14 2015,Problem not fixed yet, Chrome 45.0.2454.6 dev-m (64-bit). Jul 15 2015,
Duping this against issue 501842 ; I've landed a fix, and I'll try to get it merged back on that bug. Jul 22 2015,Having same issue after updating the chrome to Version 44.0.2403.89 beta-m (64-bit). I thought it is something wrong with our website, glad to know its chrome known issue, how to be solved soon. Cannot use chrome due to this bug. Jul 22 2015,The fix didn't make it into the initial release of 44. It did make it into the branch for the first stable update, so the next time we roll Chrome, this will be taken care of. Jul 22 2015,The problem was in beta 44, now it's in PUBLIC 44, which means a HUGE swath of wordpress sites are throwing invalid "Not private" errors, and how long will it be before the next stable refresh is out, another week? There's no way you can push a fix for this any faster? I would consider it a huge problem for a vast number of users. Jul 22 2015,All our WordPress websites are broken and totally useless. This bug is breaking far too many WordPress sites out there! Jul 22 2015,The google chrome update plus the eventon-plugin = crash. A lot of sites are affected! Jul 22 2015,Hi everyone, Just wrote a tiny WordPress Plugin to turn off HTTPS. It is not perfect but might help until waiting for the next Chrome release. http://spunmonkey.design/chrome-beta-44-causing-problems-with-httpsssl/#comment-182 Cheers Jul 23 2015,Really upset that this bug hasn't been fixed in stable version. This is really, really bad! Jul 23 2015,Could we please get time estimate for when this will be fixed? Jul 23 2015,This is now about 40 of my Wordpress Sites. links to external files are now showing https even though we never use https. Can't believe this passed BETA Jul 23 2015,Any chance on an update to this issue? Jul 23 2015,I have a number of affected sites http://www.lionlabels.co.uk/ http://www.ladydesignerwear.co.uk/ http://www.optimumcontracthire.co.uk/ http://www.smcentertainment.co.uk/ and loads more, going to try the temporary fix listed here, but would really like some feedback on why this is happening. Jul 23 2015,Copy/pasting from issue 501842 , which this bug duplicates: """ I apologize for the breakage; I apparently underestimated the impact based on the feedback during dev and beta: 1. A fix has been merged back to the stable branch (http://src.chromium.org/viewvc/blink?view=revision&revision=199090), but not quickly enough for the stable release that went out on Tuesday. I'll raise this bug with our release managers to see what can be done with regard to updating the stable channel. 2. Going forward, Chrome will no longer send `HTTPS` headers (We renamed the header from `HTTPS` to `Upgrade-Insecure-Requests` in response to the reports we got during beta), so ,at least with regard to Chrome, something like #38's suggestion is a reasonable short-term workaround. I'd certainly recommend removing it once Chrome pushes an update, but it will mitigate the issue for the moment. """ Jul 23 2015,You can mitigate the issue server-side by asking your http server to remove the HTTPS header. For instance, with apache, you can add, in a .htaccess file: RequestHeader unset HTTPS Jul 23 2015,And if your site uses a mix of SSL and non-SSL pages as does ours, the possible work-arounds don't work! I am also getting "This webpage has a redirect loop" ERR_TOO_MANY_REDIRECTS. This is going to cost many people to loose money. PLease see if the fix can get pushed out now. Jul 23 2015,So far I've only seen WordPress websites running WooCommerce having this issue, when they are running an old version before 2.3.12 in which WooCommerce removed a bad fix. See also http://develop.woothemes.com/woocommerce/tag/woocommerce-2-3/ Are there any other situations known? Jul 23 2015,> So it goes beyond WordPress. Right, I came here to say the same thing. This looks like an Apache + PHP bug. Jul 23 2015,Unfortunately the error is not a WooCommerce thing only. There are other plugins ( e.g.: Contact Form 7 ) and themes which use the is_ssl() function. Using this function causes all links to become HTTPS. In case you do not want to mess with a code or .htaccess as a quickfix you can use this small plugin which basically disables HTTPS and does nothing else. Here is the code on GitHub https://goo.gl/D54cWv It should be used for a short amount of time until the Chrome Update is out. Cheers Jul 23 2015,I'm using Contact Form 7 on various websites and haven't seen any issues yet. Can you tell me how to reproduce that? Jul 23 2015,I was referring to a comment by this user: http://themeforest.net/forums/thread/big-problem-chrome-version-44/186305?page=2#1309421 In our case the error occurs even without any plugin. The them I use, uses the is_ssl() function and based on that loads some file either via HTTP or HTTPS. the function always returns true. Jul 23 2015,re: #47 - this is just the plugin in #43 wrapped up to include a donation form in the WP admin, which is pretty disgusting. Jul 23 2015,I've got this issue on Chrome stable 44.0.2403.89-1 on Ubuntu Linux. It's made a WordPress blog I inherited on cPanel completely unusable. The blog does use WooCommerce. Jul 23 2015,It's a WooCommerce issue, they were doing bad things with $_SERVER['HTTP_HTTPS'] - Update WooCommerce to >= 2.3. Jul 23 2015,I to am having this issue, but only on one of my sites. I am using Chrome 44.0.2403.89 (64-bit) on a Mac. I only updated Chrome today and it started happening straight away. Hopefully there will be a fix soon. Jul 23 2015,Keep in mind, even after chrome fixes this problem there will still be people having issues because they might not update right away. So keeping "RequestHeader unset HTTPS" in your .htaccess would be a good idea for a few weeks after they fix the bug. Jul 24 2015,Ive been having issues the past 3 days, started with CSS not being loaded, then redirect loops, now im getting HTTPS/Security issues as well on WP/Woocommerce sites. Im going to use google chrome canary until this is fixed. Jul 24 2015,There is a Woocommerce update that works around this Chrome bug. Jul 24 2015,Thanks, I guess that's ok in the meantime but there are so many sites running WP/woo its pretty frustrating. I just switched to Canary and that seems to work. Jul 24 2015,The woo commerce update allows the problem to be worked around so that the website looks/works fine in Chrome. Jul 24 2015,Does the woocommerce workaround work if portions of your site require SSL? Jul 24 2015,I would like to thank everyone who has been posting in this thread. Especially Username: fmsoc...@fabricmate.com for posting the htaccess solution. This saved me since my site does not use SSL at all.. Am using wordpress 4.2.3. and woocommerce 2.3.8. Running chrome 44.0.2403.89 m. Just convinced my client to switch from IE to chrome, hope i wont need to advice otherwise............ please keep us updated. Jul 24 2015,Thanks for the htaccess solution, adding RequestHeader unset HTTPS did the trick for me. Just ot confirm, SSL still works for checkout pages in WooCommerce with this fix. Jul 24 2015,The real solution is to update WooCommerce, not to hack your .htaccess file or install plugins. Jul 24 2015,hi, Guys this is bug with WordPress Woo-Commerce old releases before 2.3. Once you update the Woo-Commerce to 2.3 you can see this issue is fixed. Kindly reply if this is helpful. Thanks Jul 24 2015,Also dont forget to clear the browsing cache Also this bug is with chrome 44.x.x.x only version 39.x.x.x is working perfectly. Jul 24 2015,hi, Guys this is bug with WordPress Woo-Commerce old releases before 2.3. Once you update the Woo-Commerce to 2.3 you can see this issue is fixed. Also dont forget to clear the browsing cache Also this bug is with chrome 44.x.x.x only version 39.x.x.x is working perfectly. Kindly reply if this is helpful. Jul 24 2015,To be more precise, WooCommerce 2.3.12 fixes this issue 2.3.12 - 06/07/2015 Fix - Fixed Google Chrome forcing to use SSL. This can cause some issues on websites behind load balancers or reverse proxies. Read more. Jul 24 2015,When will this fix be released? Jul 24 2015,So far my experience is that none of these 'hacks' and workarounds are working. I still get the SSL errors in WordPress after the upgrade to Chrome v44. Please fix this! Jul 24 2015,Right now the fix that finally worked for us (our site uses a mix of http/https) is to comment out the below lines in woocommerce.php: if ( ! isset( $_SERVER['HTTPS'] ) && ! empty( $_SERVER['HTTP_HTTPS'] ) ) $_SERVER['HTTPS'] = $_SERVER['HTTP_HTTPS']; Jul 24 2015,Guys for now use Canary, go in and update your WP and Woo. Jul 24 2015,Pages do not work correctly on the https protocol. Jul 25 2015,As noted in https://code.google.com/p/chromium/issues/detail?id=501842#c63, the fix is now live on M44 Desktop stable channel version 44.0.2403.107 (Win, Mac, Linux). Jul 25 2015,I can confirm that updating woocommerce has fixed this issue. Jul 25 2015,Yes but in several sites Im not the admin and the issue continues. Jul 27 2015,I just updated Chrome to Version 44.0.2403.89 and I am still getting the HTTPS privacy error when going to the WP Dashboard! I have found though that this fixes it, but I shouldn't have to enter hacks into my files - please fix this! /* add this to your functions.php file in WP to bypass SSL error */ function https_chrome44fix() { $_SERVER['HTTPS'] = false; } add_action('init', 'https_chrome44fix',0); Jul 28 2015,I think this goes back to this spec here: http://www.w3.org/TR/upgrade-insecure-requests/ So, if anything, either the W3C spec *or* PHP is broken and website owners will likely experience the same breakage again when other browser vendors start to implement that spec... Jul 29 2015,I too am having this issue, very annoying!!! more reasons to abandon chrome :( Sep 4 2015,Hey, at least Google's focusing on the IMPORTANT things, like their new logo. Sep 5 2015,No one investigated and they make relese with this bug. What a bucnh of noobs omg. i can't believe this happen. Oct 3 2015,menu chrome, try in advance setting, click reset setting... hope this help... mantapps |
|||||||||||||||||||||
►
Sign in to add a comment |
Comment 1 by jww@chromium.org, Jun 28 2015
Owner: davidben@chromium.org
Status: Assigned