// urls shouldn't get changed to http

[mrdomino]

I wrote a post with a script src="//some/url" in it (specifically, an embedded tweet). In the published site, that became an http link. Since I'm static-publishing over https, that means it didn't resolve.

Can't set up a wordpress instance to try to get a more complete report unfortunately, but hopefully that's a good start.

Acceptable alternatives would be to just point to https, or to preseve the //.

[JamborJan]

What is missing here is a force https feature or something like this. I have the same issue for external content and I'm not sure how to solve it. When I use plugins or themes whcih use e.g. Google Fonts I get:

[Warning] [blocked] The page at https://randomxyz.nameo.sandcats.io was not allowed to run insecure content from http://fonts.googleapis.com/css?family=PT+Sans+Narrow:400,700&subset=latin,latin-ext,cyrillic. (randomxyz.name.sandcats.io, line 51)

I guess Wordpress doesn't detect the fact that the page is https because Sandstorm works like reverse proxy here and inside the grain there is only an http connection from Sandstorm to the in-grain nginx server (or whatever you use inside the grain).

The sad story is: I didn't find a solution so far and the sandstorm guys seem to be pretty busy with other stuff as this repo and the issues inside are not updated since months.

[ocdtrekkie]

@JamborJan It's worth noting that when Sandstorm sandboxing is more complete, external content like Google Fonts is likely not going to work at all without some sort of permission grant by Sandstorm.

[JamborJan]

There is a rather philosophical problem with that. Technical wise this might all be true, awesome and secure. But these things bring problems for a sane usage of the Sandstorm WorPress port. There will pretty often be issues with:

• people want to use themes and plugins which use external resources. It should be possible for the user to allow external content for a grain (different topic, not here)
• insecure mixed content is more and more not allowed at all (the core of this issue) the way how the grain is setup prevents WordPress from detecting https. This should be fixed.
• its not possible to create a https page with a customised name without being an reverse proxy expert (not this issue here, see: setup https page with wordpress on sandstorm #25)

So yes, you could stick to the explanation you gave but this will cause that users will not use wordpress on sandstorm and the goal of sandstorm of providing easy to install apps fur none-tech users which work out of the box is gone.

[ocdtrekkie]

All I'm indicating is that the problem needs to be more holistically addressed. I don't know if it's possible for Sandstorm to maybe detect external resources and replace them when it's common ones like jQuery or Google Fonts, or if there needs to be some flavor of Sandstorm driver for external content or something.

[JamborJan]

I was able to always get an https prefix when I add this to the top of my template in the header.php:

<?php
/* SSL Proxy */
$_SERVER['HTTPS']='on';
?>

Unfortunately causes this the following Wordpress on Sandstorm bug for every single link: #15

So for now this is no work around but maybe soon.

[xet7]

This issue was moved to sandstormports/wordpress-sandstorm#16