Hi, I haven't actually installed this patch, but the changes are very straightforward and should work as intended. Marking RTBC.
While I didn't actually install the patch/MR, from looking at it, it's clear that all it does is change HTTP to HTTPS in the generated drupal.org links. I did verify that the HTTPS version of the links work, so I'm going to mark this as RTBC.
Note: Anticipating the "why bother" response... As browsers get more strict about wanting to always use HTTPS, and also increasing strictness with cross-origin links (HTTP and HTTPS versions of a link are considered different origins) it should be standard to use HTTPS everywhere (or at least everywhere it's possible). It's a small change, easy to apply, with no bad side effects that I can think of. Please consider applying it to the next release.
Hi @heykarthikwithu, thanks for responding.
I acknowledge up front that this is a minor issue, and it would likely not cause any problems to leave as is. But it seems like a minor change, with no unwanted side effects that I can think of.
Some background... This came to my attention when I used an automated link scanner/checker (Xenu) on one of my Drupal 7 sites. It checks "visible" links that show in the page content as well as "not-visible" links like this one. The tool gives a report about redirected links, and that's when I noticed this one. I can add an exception for this link and the tool will stop notifying about it.
However, I think generally it's better to link directly to a target web page, via HTTPS if applicable, to avoid making the remote server do the redirect/rewrite.
And I believe it may be that allowing the browser to first request HTTP may introduce an opening for security issues, see this page for some background: https://https.cio.gov/hsts/.
What do you think?
rbruch β created an issue.
Not sure if this is the right way to bring this up but...
The link referenced above (http://www.w3.org/1999/xhtml/vocab) now redirects to a secure HTTP (HTTPS) version: https://www.w3.org/1999/xhtml/vocab
I found that this URL is defined in /includes/theme.inc on line 2627 (Drupal 7.96). Could the URL be updated to use the HTTPS link?