Using Magento’s getUrl() Method with HTTPS

We’re all familiar with using Magento’s getUrl() method when we want to retrieve a given URL in Magento, and additional checks may need to be added to check for secure pages.

As an example, on Magento’s cart page, there exists a newsletter form that can be viewed near the footer. If the cart page has been served over HTTP, then the newsletter form action URL will also be HTTP.

The URL comes from the Mage_Newsletter_Block_Subscribe block class in the Mage_Newsletter module.

// app/code/core/Mage/Newsletter/Block/Subscribe.php

<?php
class Mage_Newsletter_Block_Subscribe extends Mage_Core_Block_Template
{
    ....

    public function getFormActionUrl()
    {
        return $this->getUrl('newsletter/subscriber/new', array('_secure' => true));
    }

    ....

}

This is great as the core module correctly uses the in-built getUrl() method, but note also passed in is a _secure array key as the second parameter which is set to true.

This might look like the URL will always return as HTTPS, however diving deeper into the getUrl() functionality shows that the method checks to see if the page is secure and only then will it return HTTPS.

If the _secure parameter is taken out of getUrl(), and the cart page is accessed over HTTPS, then the following warning will appear in the console.

Mixed Content: The page at 'https://domain.com/checkout/cart/' was loaded over a secure connection, but contains a form which targets an insecure endpoint 'http://domain.com/newsletter/subscriber/new/'. This endpoint should be made available over a secure connection.

You could pass in a _forced_secure parameter and set this to true, which would ensure that the newsletter form action URL is always served over HTTPS, however if the website does not have an SSL certificate installed or reverts back to using HTTP, the URL would more than likely not work.

Another method of checking for secure URLs is using the $this->_isSecure() method, which is available in all block classes that (eventually) extend from Mage_Core_Block_Abstract, as seen here in the Mage_Checkout_Block_Cart_Shipping class.

// app/code/core/Mage/Checkout/Block/Cart/Shipping.php

<?php
class Mage_Checkout_Block_Cart_Shipping extends Mage_Checkout_Block_Cart_Abstract
{

    ....

    public function getFormActionUrl()
    {
        return $this->getUrl('checkout/cart/estimatePost', array('_secure' => $this->_isSecure()));
    }

    ....

}

Using $this->_isSecure() looks as though it is the right way to use getUrl(), however testing the newsletter form action URL using array('_secure' => true) seems to indicate that this will suffice for checking for HTTPS.

If the Use Secure URLs in Frontend option under System -> Configuration -> Web in the Magento admin is set to Yes then Magento will ensure that the checkout, customer register and login pages are redirected to HTTPS even if you try and access them over HTTP.

This is not the case with other Magento pages, and unless you have some server configuration to permanently redirect all of your website’s pages to HTTPS, then they can be accessed over both protocols and there is a chance you may run into some Mixed Content browser warnings when using getUrl()_secure() parameter to getUrl()

Note: This article is based on Magento Open Source version 1.9.