ajax captcha image broken by https admin-ajax url

  • Resolved jeff@exitshoes.com

    (@jeffexitshoescom)


    10 years, 8 months ago

    Is there a way for cforms2 to generate a protocol independent captcha image? Is there some aspect of cforms admin-ajax that should be protected by https?

    My users access my contact form using http, but cforms creates an https url referring to my site to create the captcha image. Most browsers generate a silent ssl error because the site is “untrusted” and this results in a broken captcha image.

    I use https to administer my site, but I’m using a self-signed certificate. cforms.php sets the url for admin-ajax to the admin url of the site:
    ‘url’ => admin_url(‘admin-ajax.php’),

    Since my admin is over https, the url is: https://<site>/wp-admin/admin-ajax.php?action=cforms2_reset_captcha&_wpnonce=nnnnnn

    The above url is untrusted and in most cases silently ignored.

    I fixed this for now in cforms.php using
    ‘url’ => site_url(‘/wp-admin/admin-ajax.php’),

    The image is how I noticed it, but would silently discarding an untrusted ajax url cause other failures where the admin is using https with a self signed certificate?

    Jeff

    https://wordpress.org/plugins/cforms2/

Viewing 1 replies (of 1 total)
  • Plugin Author bgermann

    (@bgermann)

    10 years, 3 months ago

    As the admin_url is aware of your HTTPS configuration and if you force admin requests to be delivered via HTTPS, the current behaviour is expected. I will not change it as you can get by via configuration. It would rule out the supposed config.

    cformsII makes use of the Ajax API at some other places (e.g. Ajax form submission), but you would probably notice.

    By the way: there are three CAs that provide free certificates that are recognised by common browsers: WoSign, Startcom and Let’s encrypt. Why not just get a cert from them?

Viewing 1 replies (of 1 total)

The topic ‘ajax captcha image broken by https admin-ajax url’ is closed to new replies.