New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Force HTTPS in the tracking code whenever HTTPS is currently being used #12857
Conversation
@@ -137,7 +137,7 @@ public function generate( | |||
'trackNoScript' => $trackNoScript | |||
); | |||
|
|||
if (SettingsPiwik::isHttpsForced()) { | |||
if (ProxyHttp::isHttps()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't it be if (ProxyHttp::isHttps() || SettingsPiwik::isHttpsForced()) {
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If https is forced, Matomo is running under https. As ProxyHttp::isHttps
returns true if the current protocol is https it isn't really needed to also check if https is forced
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So you cannot reach this function via non-SSL if SSL is forced? Than go ahead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This won't really work for example when Matomo is behind a proxy. The frontend may be running on http, but the backend on https. We've had this couple of times in the past. It may be also the other way around which happens quite often too that the frontend is https but the backend runs on http and in both cases it would be wrongly detected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If https is forced, Matomo is running under https. As ProxyHttp::isHttps returns true if the current protocol is https it isn't really needed to also check if https is forced
see for above reasons why it doesn't have to be the case.
Cheers @tsteur so this won't work as well as expected.
|
it is better to force SSL as soon as the HTTPS is working and is being used for the Tracking code page. follows up #7366 #12799