Always load recaptcha JS over HTTPS

[alexymik]

Overview

Recaptcha api.js should always be loaded over HTTPS regardless if the Civi site is being served over insecure HTTP.

Before

Currently CiviCRM checks to see if the site is being served over SSL/HTTPS and attempts to load the recaptcha API over the same protocol:

if (CRM_Utils_System::isSSL()) {
  $useSSL = TRUE;
}

After

Force-set this option so the resulting include tag always loads api.js over https:// as a best-practice.

Technical Details

See also packages/recaptcha/recaptchalib.php:112

Comments

Related: https://lab.civicrm.org/dev/core/issues/425

[civicrm-builder]

Can one of the admins verify this patch?

[civibot]

(Standard links)

• If this is your first pull-request for CiviCRM, please browse CONTRIBUTING.md for information about the development and testing processes.
• If you are reviewing this pull-request, you may wish to consult the test sites and the Review Standards (long template, short template).

[seamuslee001]

Jenkins ok to test

[eileenmcnaughton]

@xurizaemon @totten thoughts ? I know @xurizaemon wrote a lot about this ... I just haven't read it :-) so I'm more looking for @xurizaemon to advise if this is consistent with his proposal & @totten to say whether the proposal makes sense / is safe

[seamuslee001]

Given this is about loading an external service then i think it makes sense to go for the HTTPS version. This would ensure that there is no insecure or mixed mode messages or anything like that. I am a +1 on this

[eileenmcnaughton]

merging based on @seamuslee001 @mlutfy - test fail unrelated