[wp-trac] [WordPress Trac] #19707: admin-ajax.php requests via http regardless of force_ssl_admin() state
WordPress Trac
wp-trac at lists.automattic.com
Mon Jan 2 06:38:58 UTC 2012
#19707: admin-ajax.php requests via http regardless of force_ssl_admin() state
-----------------------------+------------------------------
Reporter: robertaccettura | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: |
-----------------------------+------------------------------
Changes (by robertaccettura):
* type: defect (bug) => enhancement
Comment:
Further investigation shows this is likely a plugin creating these
requests using:
{{{
var ajax_url = '<?php echo admin_url("admin-ajax.php", null); ?>';
}}}
This however is indicative of the lack of a proper ajax api on the
frontend forcing plugin developers to resort to using an admin_url to
serve their needs. This is problematic and conflicts with things like ssl
admin.
May I suggest an equivalent wp-user-ajax.php for example and
wp_user_ajax_my_action action? Switching existing plugins would be as
trivial as swapping a few characters. This would be more secure since it
encourages separation of wp-admin from user related functions.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19707#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list