This is the expected behaviour, the Super Admin decides to force https on the website he doesn't want a normal admin from overriding his decision.
Setting Force HTTPS: Entire Site Will force every page to be returned by the site as https

Then the setting Secure: Off in menu items is complete nonsense and should be removed completely if a Super User has made a global decision.

Or the reply was incorrect

1. Per menu item setting ('secure' parameter)

is used inside helper of mod_menu
to create a link that has https or http as protocol

https://github.com/joomla/joomla-cms/blob/staging/modules/mod_menu/helper.php#L127

$item->flink = JRoute::_($item->flink, true, $item->params->get('secure'));

2. Global forcing of https ('force_ssl' parameter)

happens at the start of --current page-- URL parsing inside SiteRouter.php inside the parse() method

There, before the URL is "parsed" by Joomla routing and thus before its itemId (and other variables) are discovered, the redirection to HTTPS is forced only by looking at current protocol
(thus it does not examine any menu item settings)

https://github.com/joomla/joomla-cms/blob/staging/libraries/src/Router/SiteRouter.php#L80-L85

if ($this->app->get('force_ssl') == 2 && strtolower($uri->getScheme()) !== 'https')
{
	// Forward to https
	$uri->setScheme('https');
	$this->app->redirect((string) $uri, 301);
}

further down the code the URI is parsed to get variables and thus also get itemId for the current page

https://github.com/joomla/joomla-cms/blob/staging/libraries/src/Router/SiteRouter.php#L138-L140

$vars += parent::parse($uri);

return $vars;

Probably change description of menu item parameter,
to document that the setting is used only when force HTTPS is not enabled in global configuration

The setting in menu items and "expected bahavior" is completely misleading and unhandy for """normal""" users; also concerning SEO and ""DC"".

• Set Force HTTPS: OFF in configuration.
• For a single menu item set: Secure: On but not for home page
• Visit frontpage/home page
• The link of above menu item has https,. All others have http. Fine.
• Click the https link.
• On https page all links have a https now except menu items where you set explicitly Secure: Off. Fine (somehow)
• Now change the URL in address bar of browser to http instead of https. No redirect. You'll see the http page.

I think this needs more than just an endless description. I understood the current one after my finds and code view. It talks about "links".

After looking at the codes:
Maybe an early plugin would be a good place in the future ("force SSL of menu items by redirect if Secure is ON" or something) to make this feature more understandable and/or consistent. Even if it will reduce performance because it has to check the menu params if it shall redirect ( (EDIT: or manipulate the $app configuration) or not, it would be less confusing and it would be a user decision

I am still at a complete loss as to why you would ever want to turn off SSL for any part of your site.

In this case a user wanted to disable it because of IFrames on the page that are only available via http.

I am still at a complete loss as to why you would ever want to turn off SSL for any part of your site.

I myself agree. But then my decision would be to remove this misleading setting from menu items. Maybe in Joomla 4 even if it would be a drastic B\C break. But consequent.

I opened this issue because it's a recurrent issue for users, not only in forums.

We can’t remove it due to BC since some components may use it and cause a redirect.

The issue is you are trying to include insecure I framed. The provider of the iframes / content should upgrade their site to SSL it’s quick and easy and mainly free these days! And problem is solved.

The web is going full https and to go backwards to https seems like a crazy step.

I would suggest should you progress down this route to use htaccess rules to setup your unique redirect scenario.

We can’t remove it due to BC since some components may use it and cause a redirect.

I don't understand. We can't remove a nonsense feature from Joomla 4 core? There is no core extension that is using this setting in a consequent way! There's exactly 1 place where Joomla redirects to SSL (when SSL is activated in configuration).

And there are other settings that were removed from Joomla 4 that could be theoretically used in extensions.

Your answer contradicts itself. On the one hand you want to force users to use SSL. On the other you want to keep this stupid setting.

It's easy for any programmer that is able to code a component to code a plugin, too, that brings back this setting in menus! 10 lines of code.

Describe a scenario please where this feature makes any sense in Joomla core!!

The issue is you are trying to include insecure I framed. The provider of the iframes / content should upgrade their site to SSL

As I've said above I personally try nothing.

I don't want a discussion here about things that others should do because you mean that they should do it or could do it. You also forget that SSL certificates are still not free at all hosters. And that some sites don't need SSL at all.

Be consequent! Remove it!

Yes it can be removed in J4. Tony was referring to J3

From July chrome will label any page without SSL as insecure.

Thinking about it i seem to recall that if the site is forced to on then you cannot force an individual item to off. The setting is only relevant if you want to switch an individual item to on when the site is not forced to on.

Yep which is why he wants ‘off’ removed as a selection ?

On 5 Mar 2018, 14:58 +0000, Brian Teeman notifications@github.com, wrote:

Thinking about it i seem to recall that if the site is forced to on then you cannot force an individual item to off. The setting is only relevant if you want to switch an individual item to on when the site is not forced to on.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.