FORCE_SSL_ADMIN and admin-ajax.php problem

  • When using FORCE_SSL_ADMIN with an untrusted SSL certificate, I’m having problems with some plugins (ie: wp-polls) using admin-ajax.php.

    WordPress itself doesn’t force admin-ajax.php to SSL, since it’s used by non-admin code as well.

    However the plugins use the admin_url() function to form the admin-ajax.php URL. The function returns a URL that will be served via https.

    At that time we have a mixed content, where the rest of the site is served through http and the admin-ajax.php is served through https. If the site doesn’t have a SSL certificate that is trusted, the browser’s default behavior is to block that https connection thus breaking the ajax function.

    Since many WordPress sites doesn’t have public user registration, it’s common practice to use self-signed SSL certs with such WordPress sites.

    A dirty hack could be using a home_url(‘wp-admin/admin-ajax.php’) function instead but that would defeat the whole purpose of an admin_url() function.

    What solution should be implemented for this problem?

Viewing 2 replies - 1 through 2 (of 2 total)
  • TruthMerchant

    (@truthmerchant)

    When 4.0 deprecated “FORCE_SSL_LOGIN” it broke a lot of public facing plugins that use AJAX. If the plugin is using
    “admin_url(‘admin-ajax.php), relying on this function to properly define the protocol. then the ‘https” protocol will be asserted causing the AJAX to fail to send COOKIES (authorizations). It fails because the page that sent the AJAX object was operating as “http” and the browser sees the ‘https’ AJAX request back to the page as being “cross domain”.

    For now…..

    so… in the plugin:

    use $scheme = is_ssl() ? 'https' : 'http'; //define proper protocol

    ,and

    admin_url(admin-ajax.php,$scheme), // specify the protocol

    IMHO there should probably be a core function named “ajax_url(…)” that handles this problem and also uses a “nonce” with the time being part of the arguments.

    use admin_url filter https://github.com/lesterchan/wp-postratings/issues/75

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘FORCE_SSL_ADMIN and admin-ajax.php problem’ is closed to new replies.

Tags