Now the HTTP login page redirects to the HTTPS version, but for some reason creating an account is exempt.
Is there any reason to allow the login details to be sent in cleartext even once?
What I expect: [1] should redirect to [2]
Version: wmf-deployment
Severity: normal
Not only for Wiktionary, there are lots of signup pages which should redirect to https. For instance,
http://en.wikipedia.org/w/index.php?title=Special:UserLogin&returnto=Main+Page
should redirect to
https://en.wikipedia.org/w/index.php?title=Special:UserLogin&returnto=Main+Page
But currently it doesn't redirect.
(In reply to comment #1)
Sorry, I meant:
http://en.wikipedia.org/w/index.php?title=Special:UserLogin&returnto=Main+Page&type=signup
and
https://en.wikipedia.org/w/index.php?title=Special:UserLogin&returnto=Main+Page&type=signup
(In the original post, the link points to the login page rather than the signup page.)
I have vague memories of doing that for a reason, but I can't seem to find it right now. Git blame points to Tyler for the $this->mType !== 'signup' in the code. Tyler, do you remember why signup was excluded there?
I can't seem to recall why I put that condition there. I don't think there was a reason. The commit this condition was added on was way back in 565014a8, when I originally fixed $wgSecureLogin functionality (because before that the feature was completely broken and didn't work). It should be safe to just take that out of the if() statement.