admin-ajax.php requests via http regardless of force_ssl_admin() state
|Reported by:||robertaccettura||Owned by:|
Noticing these requests failing:
"NetworkError: 403 Forbidden - http://HOSTNAMEwp-admin/admin-ajax.php"
My server explicitly denies http to wp-admin. SSL only.
Looks like admin_url() is giving http rather than https. I suspect this bug actually lies somewhere in get_site_url(), but I don't have time to triage this right now.
This is technically a security bug since WP should always obey force_ssl_admin(), but I don't think anything is being leaked or compromised. You don't get access to anything, and nothing being sent over the wire is sensitive since it still obeys the rules of the protocol (cookie is secure). It's just a nuisance.
Change History (5)
- Component changed from Security to HTTP
- Keywords has-patch dev-feedback added
- Milestone Awaiting Review deleted
- Resolution set to worksforme
- Status changed from new to closed