Only output the CSP header on https pages

[johnbillion]

A multisite setup of mine has some sites which are served over https on the front end and some which aren't. (I'm tracking CSP errors in the admin areas, which are served over https.)

HTTPS Mixed Content Detector outputs its CSP header on the front end regardless of whether or not the page is served over https. This means the CSP log for the sites served over http gets needlessly filled up with reports which trigger for almost every asset on the page.

This fixes that.

[tollmanz]

This is a feature not a bug ;)

While I've not articulated this anywhere, the beauty of content-security-policy-report-only is that you can deploy it on an insecure site to prepare for a move to a secure site. I envision a migration to look like this:

1. Set up your site to respond to http and https
2. Run this plugin against the http variant of the site to start fixing issues that will become mixed content issues
3. After these reports are resolved, put in http to https redirects and set your http-strict-transport-security policies

For your use case, you can set MCD_MONITOR_FRONT_END to false and MCD_MONITOR_ADMIN to 'true' (perhaps in an mu-plugin) on a site-by-site basis. This is not ideal, but should work.

I would definitely like to find a way to make this more user friendly. I am contemplating adding a UI for these types of options.

[johnbillion]

Interesting, I'd not thought of that use case.

It just occurred to me that I can solve my issue by using this in a mu-plugin:

define( 'MCD_MONITOR_FRONT_END', is_ssl() );

[tollmanz]

That certainly is parsimonious. I'm closing this, but opened #13 to explore more granular control of CSP deployment.