CSS file included for language selector widget is not having http or https

This thread is resolved. Here is a description of the problem and solution.

Problem:
The shortcode [wpml_language_selector_widget] used for showing the language switcher in the header includes the path to the CSS file like so "sitepress-multilingual-cms/templates/language-switchers/legacy-list-horizontal/style.css?ver=1" It is missing the HTTP or HTTPS part, which can cause a security issue.

Solution:

Our developers checked this issue and concluded that there was no security risk by not having the HTTP or HTTPS part in the CSS URL link, and it should not be included due to a specific reason.

This is the technical support forum for WPML - the multilingual WordPress plugin.

Everyone can read, but only WPML clients can post here. WPML team is replying on the forum 6 days per week, 22 hours per day.

Tagged: Not WPML issue

This topic contains 13 replies, has 3 voices.

Last updated by Itamar 4 years, 2 months ago.

Assisted by: Itamar.

Author	Posts
November 16, 2020 at 5:24 am #7454675
Alifa Colaco	Used [wpml_language_selector_widget] shortcode for showing the language switcher in header. This includes "sitepress-multilingual-cms/templates/language-switchers/legacy-list-horizontal/style.css?ver=1" CSS file with http or https (see the attached screenshot). We want the URL to include http or https depending on website URL.
November 17, 2020 at 10:31 am #7465041
Ahmed Mamdouh Supporter Languages: English (English ) Arabic (العربية ) Timezone: Africa/Cairo (GMT+02:00)	Hi, Thanks for contacting our support forum. As I understood you are trying to add a new custom language switcher, so could you please tell me how did you add the shortcode to the header? Also, Could you please share the debug information of your site with me? You can read a detailed explanation about it here. http://wpml.org/faq/provide-debug-information-faster-support The debug info will give me a lot of information about how your site is configured and help me understand the source of the problem. Best regards, Ahmed Mamdouh.
November 17, 2020 at 10:44 am #7465109
Alifa Colaco	echo do_shortcode('[wpml_language_selector_widget]');
November 17, 2020 at 12:01 pm #7466073
Ahmed Mamdouh Supporter Languages: English (English ) Arabic (العربية ) Timezone: Africa/Cairo (GMT+02:00)	Hi, Are you facing a problem adding HTTP or HTTPS to the CSS link? and if yes could you please provide me the error or describe the issue in detail? Best regards, Ahmed Mamdouh.
November 17, 2020 at 1:14 pm #7466587
Alifa Colaco	Are you facing a problem adding HTTP or HTTPS to the CSS link? - Yes We have added the below code for showing language switcher for the site. <?php echo do_shortcode('[wpml_language_selector_widget]'); ?> It includes the below CSS file when the above code is added: <link rel='stylesheet' id='wpml-legacy-horizontal-list-0-css' href='//devlocal.creativecapsule.local:8002/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-list-horizontal/style.css?ver=1' type='text/css' media='all' /> If you check the link for the above CSS file it is not showing http or https. But, for our site we want all CSS/JS links to have http or https for the URL.
November 17, 2020 at 8:31 pm #7470189
Itamar Supporter Languages: English (English ) Hebrew (עברית ) Timezone: Asia/Jerusalem (GMT+02:00)	Hi there. Since Ahmed is not available I'll continue helping you with this issue. I can replicate this issue on my test site. Indeed the http: or https: part of the 'href' attribute that points to the custom Language Switcher style.css file is missing. But as far as I see it it is just a minor issue because other than that everything is functioning as it should. The CSS for the custom Language Switcher is loading correctly. And if the URL of your site is the HTTP or HTTPS protocol that link will be accordingly. You can check my test site at the following link. hidden link If you inspect the Language Switcher with the browser's developers tool then you should notice that it is loading with the HTTP or HTTPS protocol. Please see the attached screenshot https-ok.jpg. At the following link, you will find the full link to the CSS file. hidden link Can you see my point on this case? Of course, I'm going to discuss this with our second tier supporters and escalate the issue if needed. But now it is important for me to know if you are having actually issues because of the missing http: part in the link? Thanks, Itamar.
November 19, 2020 at 9:52 am #7481599
Alifa Colaco	We need to have HTTP or HTTPS protocol as our IT team have identified it as a security issue.
November 19, 2020 at 5:17 pm #7486783
Itamar Supporter Languages: English (English ) Hebrew (עברית ) Timezone: Asia/Jerusalem (GMT+02:00)	Hi, OK, I'm going to escalate this issue to our second tier supporters. They will escalate it to our developers if it will be needed. We'll keep you updated here on any news regarding this issue. Meanwhile, it might be helpful if you can get more information from your IT team about the security issue that they identified. If you get it please share it here with me. Thanks, Itamar.
November 22, 2020 at 12:53 pm #7502751
Itamar Supporter Languages: English (English ) Hebrew (עברית ) Timezone: Asia/Jerusalem (GMT+02:00)	Hi. I've escalated this issue to our second tier supporters. They will debug it and escalate it to our developers if needed. We'll keep you updated here on any news regarding this issue. Thank you for your patience. Itamar.
November 23, 2020 at 7:16 am #7505815
Itamar Supporter Languages: English (English ) Hebrew (עברית ) Timezone: Asia/Jerusalem (GMT+02:00)	Hi. Our second tier supporter has checked this issue and explains the following. The missing protocol is part of a practice. If you do not specify a protocol, then a request is made using the protocol used to connect with the site. Just like a relative path, it is a relative URI. I hope that this clarifies the issue. Please let me know if you have further questions about this issue. I'm also waiting to hear from you regarding the security issue that you mentioned. As far as we can see, there is no security issue here. Regards, Itamar.
November 26, 2020 at 6:58 am #7531767
Alifa Colaco	When our IT team does a security scan, this is identified as a security threat and this needs to be fixed. If further details are required then we can schedule a call with out IT team.
November 26, 2020 at 10:33 am #7533335
Itamar Supporter Languages: English (English ) Hebrew (עברית ) Timezone: Asia/Jerusalem (GMT+02:00)	Hi and thanks for the extra details. I passed your note to our second tier supporter. When I have more information from him I'll update you here. Thank you for your patience. Itamar.
November 26, 2020 at 11:38 am #7534003
Itamar Supporter Languages: English (English ) Hebrew (עברית ) Timezone: Asia/Jerusalem (GMT+02:00)	Hi. While our second-tier supporter consults the developers, he asked me to also pass the following request to you. Can you please point us to any documentation which explains the security threat that might be caused by not adding `https:` to the CSS link? Thanks, Itamar.
December 10, 2020 at 8:49 am #7632575
Itamar Supporter Languages: English (English ) Hebrew (עברית ) Timezone: Asia/Jerusalem (GMT+02:00)	Hi, After further discussing this issue with our main developers, we conclude that, as for now, there is no security risk by not having the http: part in the CSS URL link. In fact, we discovered that we shouldn't include this part because of a certain reason. So due to the above, we are going to wait for your reply with the IT team comment about what they see in it as a security risk. I look forward to your reply! Thanks, Itamar.