XML-RPC and AtomPub Endpoints Should Respect FORCE_SSL_ADMIN and FORCE_SSL_LOGIN

[josephscott]

External APIs (XML-RPC and AtomPub) should force SSL access if FORCE_SSL_ADMIN or FORCE_SSL_LOGIN is set to true.

I think it makes sense to redirect to HTTPS if either FORCE_SSL_ADMIN or FORCE_SSL_ADMIN is set to true since both end points pass usernames and passwords in the clear (or near clear in the case of AtomPub which generally uses HTTP Basic Auth) and expose administrative functions.

I've got patches for -trunk and the 2.8 branch in hopes that we can get this included in the 2.8.1 release as well.

[josephscott]

This includes site_url() changes for the admin context from rev 11679

[josephscott]

The wp-app.php.diff for -trunk should work on the 2.8 branch as well.

[Denis-de-Bernardy]

If a POST request gets redirected, won't it lose the POST data?

[josephscott]

The redirect itself won't provide the POST data, so it will be up to the client to re-send the POST data to the HTTPS address provided in the redirect.

Under normal conditions that redirect will never be needed, since clients should be using the API link in the RSD, which will indicate HTTPS when FORCE_SSL_ADMIN is set.

[ryan]

Add 'rpc' context to siteurl which obeys ADMIN and LOGIN forced SSL

[josephscott]

Confirmed that Ryan's 10330.diff works as expected.

After thinking about this more I think that we should hold off on the forcing redirects for 2.9 and put in the 10330.diff for 2.8.1.

[ryan]

(In [11686]) Add 'rpc' context to siteurl which obeys ADMIN and LOGIN forced SSL. see #10330

[ryan]

(In [11687]) Add 'rpc' context to siteurl which obeys ADMIN and LOGIN forced SSL. see #10330 for 2.8.1