Questions about 'Use HTTPS for canonical URLs' setting

[NormPlum]

I came across the 'Use HTTPS for canonical URLs' setting on my site but didn't understand exactly what its for. So I looked through the code to figure it out and now I have some thoughts.

1. It's used to set the https option for the url() function, but in that function it also checks the https setting in settings.php. In the description of the setting in the UI it says "Please note: to get it working in mixed-mode (both secure and insecure) sessions, the variable https should be set to TRUE in your file settings.php" Is there a way to get it working in non-mixed mode? Why do you need to set a UI setting and a settings.php setting in order for this to work?

2. It seems to only really be used in two places - nodes and taxonomy - to set a rel="canonical" link in the head of the page. But there's another place where canonical links are added to the page head: https://github.com/backdrop/backdrop/blob/1.x/core/modules/file/file.pages.inc#L449C47-L449C56 Maybe that should be using this too.

3. What about other links (in the page head or elsewhere)? Shouldn't they use https too if this setting is set?

4. If the answer to 3 is no, what's the best way to make all links use https (like "HTTPS everywhere")? Should there be a different setting that sets the default value of the url() functions https option to TRUE?

[herbdool]

These are great questions. I haven't really thought about this setting, since we've defaulted to always have certificates for sites we host and have http redirect to HTTPS in the host setup. But sounds like we could improve this setting.

[quicksketch]

Here's the original issue where the "Use HTTPS for canonical URLs" setting was added: #865

The $settings['https'] option is incredibly difficult to comprehend. I'd need to research it a bit to give an accurate answer on how it works.

Is there a way to get it working in non-mixed mode?

In checking my local, it seems like if your site is entirely HTTPS already, this checkbox has no effect: the canonical links are already HTTPS. If you redirect http to https traffic via your web server or .htaccess then this setting can be ignored.

I think the real meaning of that setting is actually: "Use HTTPS for canonical URLs even on HTTP pages". Otherwise the behavior is to use the current protocol for the canonical URL.

Note that setting was added 10 years ago, when HTTPS was not universal (or free) like it is now. "Mixed mode" sites were more common when it was typical to deliver HTTP to anonymous users and HTTPS for logged-in users only. These days we typically see all sites are HTTPS all the time.