Now this is interesting.
In the Chrome 44 release that happened just yesterday, it appears the browser got a small bug significant change.
It's now sending the HTTPS: 1 header on every request by default. This was probably meant as a security improvement, to suggest HTTPs to the server wherever possible, but it's breaking WordPress and other webserver installations all over the place.
Why? Because most PHP software uses $_SERVER['HTTPS']; to detect if the site is running behind an SSL certificate or not. This includes WordPress, Drupal and any custom PHP software that checks this header.
if ($_SERVER['HTTPS']) {
// Assume HTTPs, redirect or enable https:// prefixes on all resources (css/js/images/...)
...
}
The next planned release of Chrome is scheduled on July 27th, but they're investigating if an emergency patch can be sent out to resolve this issue.
Bugtracker: Issue 505268: Forcing WordPress sites to use https even when not directed.
This is not going to be a fun week for Chrome users.
To be fair, the underlying reason is just another bad design decision on PHP’s part.
It’s not a bad PHP design decision, it’s a bad design decision of whoever is using it that way in PHP. To be fair that code is actually only reading a HTTP header variable, so its not bad or good, its up to you how you wish to use it. Depending on it and assuming HTTPS is incorect.
No.. no, this is a PHP problem if that header is overwriting $_SERVER[‘HTTPS’].
per the docs:
> ‘HTTPS’
> Set to a non-empty value if the script was queried through the HTTPS protocol.
You can’t seriously think having an associative array that contains all of, and I quote, “headers, paths, and script locations” is a good idea.
Are you sure $_SERVER[‘HTTPS’] can be populated from request headers? If it is sent by the browser, I believe it would be set as an HTTP_* index:
$_SERVER[‘HTTP_HTTPS’] => 1
As per the documentation (http://php.net/manual/en/reserved.variables.server.php):
‘HTTPS’
Set to a non-empty value if the script was queried through the HTTPS protocol.
I’ve checked a number of Drupal sites on a variety of hosting platforms, and from what I can tell Drupal is not effected.
Drupal checks for the value of ‘on’ rather then just a bool value of $_SERVER[‘HTTPS’]
includes/bootstrap.inc
735: $is_https = isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on';