SSL for WordPress Admin and the Problem with XMLHttpRequest

Posted on Thursday, March 20th, 2008, at 11:38 am, and filed under Meta Category. Note: Hypertext links in the printed form of this document are marked with a superscript "L" plus a number. The number corresponds to the list of web addresses at the bottom of the document.

Note! The updates to SSL handling in WordPress version 2.6 address the problem of SSL-encrypted admin sessions in a much less hackish sort of way. It doesn’t make any sense to use this plugin with WordPress version 2.6 when you can simply add define(’FORCE_SSL_ADMIN’, true); to your wp-config.php file.

The WordPress Codex has documentation for running the login, registration, and administration interfaces on an SSL server. There is even a plug-in that will do much of the heavy lifting for you. I have found both of these methods, by themselves, to be rather unsatisfactory, though, in that admin services that rely on AJAX calls back to WordPress break (such as the periodic saving of drafts). What happens is this:

Plugins will use the ’siteurl’ and/or ‘home’ values in the Options → General admin page, and that value is typically set to the “http://” rather than “https://” address of the blog.
The URL that plugins construct to talk back to the WordPress installation will go to an “http” address instead of the SSL-encrypted “https” address.
The admin page, loaded in the browser from the “https” address, attempts to talk back to the WordPress installation on a “http” address and triggers a exception. In Firefox, the error looks like this: Error: [Exception... "'Permission denied to call method XMLHttpRequest.open' when calling method: [nsIDOMEventListener::handleEvent]“…]

The security model in the browser prevents scripts on a page from using XMLHttpRequest¹ back to any host on the internet except for the host where the script came from. In this case, the difference between “http://…” and “https://…” is enough to trigger the problem.

So I fixed it with plug-in that uses an undocumented hook in WordPress 2.3. If a plugin requests the value of ’siteurl’ or ‘home’, a filter is called to check if the requested page is on the SSL server. If it is, the filter changes the URL from ‘http’ to ‘https’. In that way, plug-ins will use the proper form of the URL.

One downside to this plug-in, though, is that it will appear to change the values of ’siteurl’ and ‘home’ on the Options → General admin page. The values in the database are still the ‘http’ ones, but since the Options page is an admin page the filter will run when it pre-loads those form fields.

If there is interest, I can package up the above code into a legitimate plugin and submit it to the WordPress plugins list.

Footnotes

See http://en.wikipedia.org/wiki/XMLHttpRequest for more information on XMLHttpRequest. [↩]

(This post was updated on 16-Jul-2008.)

Links in "SSL for WordPress Admin and the Problem with XMLHttpRequest"

Tags for "SSL for WordPress Admin and the Problem with XMLHttpRequest"

Find Related Content:	within DLTJ	Technorati	del.icio.us	Wikipedia
ajax
fix_admin_ssl
ssl
web development
wordpress
XMLHttpRequest

Track and Share With Others

• Sphere: Related Content

• Technorati icon Technorati Cosmos

• Listen to this article

• TrackBack URI

2 Comments

John Fink | March 20, 2008 at 12:55 pm | Permalink

We have been wrestling with admin SSL and AJAX calls on our wpmu install for, oh geez, months and months and months. If this does work, you are (once again) my hero. Honest. Hopefully it will function in wpmu like it does for your wp.
the Jester | March 20, 2008 at 12:57 pm | Permalink

I don’t know anything about WPmu specifically, but if it works for you, great! (Be sure to report back here one way or the other.)

2 Trackbacks

Library Web Chic » Blog Archive » WordpressMU Migration Drama | March 20, 2008 at 6:49 pm | Permalink

[...] on 20 Mar 2008 at 9:45 am1Peter Murray [...]
Anonymous | June 30, 2008 at 9:33 pm | Permalink

[...] 2008

Disruptive Library Technology Jester