Move /wp-admin/load-scripts.php and /wp-admin/load-styles.php to /wp-includes

[SaulNunez]

Basically these files are inside /wp-admin directory, but you can hit them and get an output without being authenticated,

examples:
​http://somedomain.usingwp.com/wp-admin/load-scripts.php?c=0&load%5B%5D=hoverIntent,common,admin-bar,svg-painter,heartbeat,wp-auth-check&ver=4.4.2
​http://somedomain.usingwp.com/wp-admin/load-styles.php?c=0&dir=ltr&load=dashicons,admin-bar,wp-admin,buttons,wp-auth-check&ver=4.4.2

If these scripts are for use inside admin, why authentication isn't required?,
if these scripts are for general use on the admin, themes, etc, why these aren't on wp-includes?

This was pointed to me on a security scan, and apart from that if the idea is general use for this, I think hosting these on /wp-admin is misleading.

[jonsurrell]

This is a good question and I don't have an answer. It seems perfectly reasonable for these files to exist outside of the wp-admin path since they're not authenticated, like you suggest.

It seems they were introduced in [10357] and have been there ever since.

That said, with the amount of time that these files have been available at this location, I don't think they can just be moved. A new file would probably have to be created in the other directory, and the existing file would likely reference the new file via an include or something similar. That means that there's probably little benefit to changing where this file lives and it doesn't seem worth the effort to me. There's little downside to the current path for these files, which makes it hard to justify changing the path.