Issue 505268: Forcing Wordpress sites to use https even when not directed

This is not a security bug, although it may be a general bug. I'm assigning to davidben for further investigation.

Retriaging to available.

Can you please provide a chrome://net-internals log, as per https://dev.chromium.org/for-testers/providing-network-details ? This will help detail why you're being redirected.

If there's a particular URL you could provide that I could take a look at, I'd like to check if this is the `HTTPS` header we've started sending in 43.

There is another behavior that might be related to this https forced redirection.
Take a look at this site: http://prestazilla.org/wordpress/butterfly/
When I access it with 44.0.2403.61 beta there are stylesheets and scripts that are converted to https protocol, so it basically it ends up being displayed without styles.

re: #4 above - yes, that is also a symptom.

re: #3) I don't really want to publicly post the login pages for live sites, can I email one?

Certainly sounds like my fault, then. Assigning to myself.

Do you see the same behavior in Canary or Dev channel (45)? Or just in Beta (44)?

sarah@: I'll poke at the butterfly link cata.rock provided. If I can't reproduce it there, I'll ask you for some more detail.

Mike: Removing the Cr-Internals-Network-SSL layer - sounds like this should be triaged through blink.

If you do think it's something SSL-y, please make sure yourself (or reporters) adds net-internals. ta :)

Modified (removed site url) net-internals attached.

Deleted: net-internals-log.json 1.3 MB

net-internals-log.json 1.3 MB Download

Chrome beta send a new header : HTTPS:1
it breaks woocommerce check for https, so a connection to the http version will try to load assets with https (and possibly breaks the website is https is not supposed to be supported).
$_SERVER['HTTP_HTTPS'] is set to 1 due to the header.

https://plugins.trac.wordpress.org/browser/woocommerce/trunk/woocommerce.php#L382

I'm having the same issue, is there something that I could do to help? Like a log file or something?

It happens inside Chrome 45.0.2438.3 dev-m (64-bit) and also Canary 45.0.2445.0 canary (64-bit)

Inside a Virtual Machine using Windows 7 and Chrome this is not happening.

mkwst@chromium.org: I would assume this report is related to  issue #495991  (https://code.google.com/p/chromium/issues/detail?id=495991) As you seemed to have alluded to. For what it is worth, the implementation of `Upgrade Insecure Requests` looks to be done per specifications and the software listed as being affected simply responds incorrectly to the HTTPS header: https://github.com/woothemes/woocommerce/issues/8479 . So the onus seems to be more on the responding servers or software to carry their end of the bargain if the draft protocol is going to be used on the client-side.

If it is helpful, attached is the behavior in a net-internals log.

Deleted: woocommerece-redirect-loop.json 809 KB

woocommerece-redirect-loop.json 809 KB Download

We are having the same issue with a wordpress site. It happens with chrome 44.0.2403.61 [beta m] win 7. First you only see the navigation tree (pure without css and everything)and if you click a link you will get error messages that the connection ist not save and that the server certificate doesnt correspond with the url.

I'm using Chrome Version 44.0.2403.61 beta (64-bit) on Mac and I can confirm this is a really annoying bug!

I own a self hosted website powered by nginx and when I try to access it I'm redirected to https, I don't even have a SSL certificate installed on the server and my website is throwing impossible errors on the developer's panel.  I've been experiencing this issue with a lot of wordpress websites and blogs I usually read.

I first started digging on nginx as I thought it was a sever-side malfunction until I searched for this issue and landed here. 

I hope it get solved soon. Unfortunately I'll have to stop using my favorite browser until this issue is solved on a next update. Chrome 32 bit is out of question, I just can't use it anymore, performance is incredible poor.

Same here on chromeos beta channel.

If i view the web page source it's changed and every http link (for css, js and so on) is rewritten as https and usually not found.

It looks like it's fixed in 44.0.2403.81.

re: #20 You have any indication this was actually removed (e.g., another issue, pull request)? I am still seeing this `HTTPS: 1` header set in Version 46.0.2455.0 canary (64-bit).

Problem not fixed yet, Chrome 45.0.2454.6 dev-m (64-bit).

Duping this against  issue 501842 ; I've landed a fix, and I'll try to get it merged back on that bug.

Having same issue after updating the chrome to Version 44.0.2403.89 beta-m (64-bit).

I thought it is something wrong with our website, glad to know its chrome known issue, how to be solved soon. Cannot use chrome due to this bug.

The fix didn't make it into the initial release of 44. It did make it into the branch for the first stable update, so the next time we roll Chrome, this will be taken care of.

The problem was in beta 44, now it's in PUBLIC 44, which means a HUGE swath of wordpress sites are throwing invalid "Not private" errors, and how long will it be before the next stable refresh is out, another week? There's no way you can push a fix for this any faster? I would consider it a huge problem for a vast number of users.

All our WordPress websites are broken and totally useless. This bug is breaking far too many WordPress sites out there!

The google chrome update plus the eventon-plugin = crash. A lot of sites are affected!

Hi everyone,

Just wrote a tiny WordPress Plugin to turn off HTTPS. It is not perfect but might help until waiting for the next Chrome release.

http://spunmonkey.design/chrome-beta-44-causing-problems-with-httpsssl/#comment-182 

Cheers

Really upset that this bug hasn't been fixed in stable version. This is really, really bad!

Could we please get time estimate for when this will be fixed?

This is now about 40 of my Wordpress Sites. links to external files are now showing https even though we never use https. Can't believe this passed BETA

Any chance on an update to this issue?

I have a number of affected sites
 
http://www.lionlabels.co.uk/
http://www.ladydesignerwear.co.uk/
http://www.optimumcontracthire.co.uk/
http://www.smcentertainment.co.uk/

and loads more, going to try the temporary fix listed here, but would really like some feedback on why this is happening.

Copy/pasting from  issue 501842 , which this bug duplicates:

"""
I apologize for the breakage; I apparently underestimated the impact based on the feedback during dev and beta:

1. A fix has been merged back to the stable branch (http://src.chromium.org/viewvc/blink?view=revision&revision=199090), but not quickly enough for the stable release that went out on Tuesday. I'll raise this bug with our release managers to see what can be done with regard to updating the stable channel.

2. Going forward, Chrome will no longer send `HTTPS` headers (We renamed the header from `HTTPS` to `Upgrade-Insecure-Requests` in response to the reports we got during beta), so ,at least with regard to Chrome, something like #38's suggestion is a reasonable short-term workaround. I'd certainly recommend removing it once Chrome pushes an update, but it will mitigate the issue for the moment.
"""

You can mitigate the issue server-side by asking your http server to remove the HTTPS header. For instance, with apache, you can add, in a .htaccess file:
RequestHeader unset HTTPS

And if your site uses a mix of SSL and non-SSL pages as does ours, the possible work-arounds don't work!

I am also getting "This webpage has a redirect loop" ERR_TOO_MANY_REDIRECTS. This is going to cost many people to loose money. PLease see if the fix can get pushed out now.

So far I've only seen WordPress websites running WooCommerce having this issue, when they are running an old version before 2.3.12 in which WooCommerce removed a bad fix. See also http://develop.woothemes.com/woocommerce/tag/woocommerce-2-3/
Are there any other situations known?

> So it goes beyond WordPress.

Right, I came here to say the same thing. This looks like an Apache + PHP bug.

Unfortunately the error is not a WooCommerce thing only. There are other plugins ( e.g.: Contact Form 7 ) and themes which use the is_ssl() function. Using this function causes all links to become HTTPS.

In case you do not want to mess with a code or .htaccess as a quickfix you can use this small plugin which basically disables HTTPS and does nothing else. Here is the code on GitHub

https://goo.gl/D54cWv

It should be used for a short amount of time until the Chrome Update is out. Cheers

I'm using Contact Form 7 on various websites and haven't seen any issues yet. Can you tell me how to reproduce that?

I was referring to a comment by this user:
http://themeforest.net/forums/thread/big-problem-chrome-version-44/186305?page=2#1309421

In our case the error occurs even without any plugin. The them I use, uses the is_ssl() function and based on that loads some file either via HTTP or HTTPS. the function always returns true.

re: #47 - this is just the plugin in #43 wrapped up to include a donation form in the WP admin, which is pretty disgusting.

I've got this issue on Chrome stable 44.0.2403.89-1 on Ubuntu Linux. It's made a WordPress blog I inherited on cPanel completely unusable. The blog does use WooCommerce.

It's a WooCommerce issue, they were doing bad things with $_SERVER['HTTP_HTTPS'] - Update WooCommerce to >= 2.3.

I to am having this issue, but only on one of my sites.  I am using Chrome 44.0.2403.89 (64-bit) on a Mac.  I only updated Chrome today and it started happening straight away.

Hopefully there will be a fix soon.

Keep in mind, even after chrome fixes this problem there will still be people having issues because they might not update right away.

So keeping "RequestHeader unset HTTPS" in your .htaccess would be a good idea for a few weeks after they fix the bug.

Ive been having issues the past 3 days, started with CSS not being loaded, then redirect loops, now im getting HTTPS/Security issues as well on WP/Woocommerce sites. Im going to use google chrome canary until this is fixed.

There is a Woocommerce update that works around this Chrome bug.

Thanks, I guess that's ok in the meantime but there are so many sites running WP/woo its pretty frustrating. I just switched to Canary and that seems to work.

The woo commerce update allows the problem to be worked around so that the website looks/works fine in Chrome.

Does the woocommerce workaround work if portions of your site require SSL?

I would like to thank everyone who has been posting in this thread. 
Especially Username: fmsoc...@fabricmate.com for posting the htaccess solution.
This saved me since my site does not use SSL at all..

Am using wordpress 4.2.3. and woocommerce 2.3.8. Running chrome 44.0.2403.89 m.

Just convinced my client to switch from IE to chrome, hope i wont need to advice otherwise............ please keep us updated.

Thanks for the htaccess solution, adding RequestHeader unset HTTPS did the trick for me. Just ot confirm, SSL still works for checkout pages in WooCommerce with this fix.

The real solution is to update WooCommerce, not to hack your .htaccess file or install plugins.

hi,
Guys this is bug with WordPress Woo-Commerce old releases before 2.3. Once you update the Woo-Commerce to 2.3 you can see this issue is fixed.
Kindly reply if this is helpful.

Thanks

Also dont forget to clear the browsing cache
Also this bug is with chrome 44.x.x.x only version 39.x.x.x is working perfectly.

hi,
Guys this is bug with WordPress Woo-Commerce old releases before 2.3. Once you update the Woo-Commerce to 2.3 you can see this issue is fixed.
Also dont forget to clear the browsing cache
Also this bug is with chrome 44.x.x.x only version 39.x.x.x is working perfectly.

Kindly reply if this is helpful.

To be more precise, WooCommerce 2.3.12 fixes this issue

2.3.12 - 06/07/2015
Fix - Fixed Google Chrome forcing to use SSL. This can cause some issues on websites behind load balancers or reverse proxies. Read more.

When will this fix be released?

So far my experience is that none of these 'hacks' and workarounds are working. I still get the SSL errors in WordPress after the upgrade to Chrome v44. Please fix this!

Right now the fix that finally worked for us (our site uses a mix of http/https) is to comment out the below lines in woocommerce.php:

if ( ! isset( $_SERVER['HTTPS'] ) && ! empty( $_SERVER['HTTP_HTTPS'] ) )
			$_SERVER['HTTPS'] = $_SERVER['HTTP_HTTPS'];

Guys for now use Canary, go in and update your WP and Woo.

Pages do not work correctly on the https protocol.

Deleted: 2015-07-24_223518.png 167 KB

	2015-07-24_223518.png 167 KB View Download

Deleted: 2015-07-24_222131_1.png 195 KB

	2015-07-24_222131_1.png 195 KB View Download

As noted in https://code.google.com/p/chromium/issues/detail?id=501842#c63, the fix is now live on M44 Desktop stable channel version 44.0.2403.107 (Win, Mac, Linux).

I can confirm that updating woocommerce has fixed this issue.

Yes but in several sites Im not the admin and the issue continues.

I just updated Chrome to Version 44.0.2403.89 and I am still getting the HTTPS privacy error when going to the WP Dashboard! I have found though that this fixes it, but I shouldn't have to enter hacks into my files - please fix this!

/* add this to your functions.php file in WP to bypass SSL error */
function https_chrome44fix() {
  $_SERVER['HTTPS'] = false;
}
add_action('init', 'https_chrome44fix',0);

I think this goes back to this spec here: http://www.w3.org/TR/upgrade-insecure-requests/

So, if anything, either the W3C spec *or* PHP is broken and website owners will likely experience the same breakage again when other browser vendors start to implement that spec...

I too am having this issue, very annoying!!! more reasons to abandon chrome :(

Hey, at least Google's focusing on the IMPORTANT things, like their new logo.

No one investigated and they make relese with this bug. 

What a bucnh of noobs omg.  i can't believe this happen.

menu chrome, try in advance setting,  click reset setting... hope this help... mantapps