admin-ajax.php requests via http regardless of force_ssl_admin() state
|Reported by:||robertaccettura||Owned by:|
|Severity:||normal||Keywords:||reporter-feedback has-patch dev-feedback|
Noticing these requests failing:
"NetworkError: 403 Forbidden - http://HOSTNAMEwp-admin/admin-ajax.php"
My server explicitly denies http to wp-admin. SSL only.
Looks like admin_url() is giving http rather than https. I suspect this bug actually lies somewhere in get_site_url(), but I don't have time to triage this right now.
This is technically a security bug since WP should always obey force_ssl_admin(), but I don't think anything is being leaked or compromised. You don't get access to anything, and nothing being sent over the wire is sensitive since it still obeys the rules of the protocol (cookie is secure). It's just a nuisance.