CORS problem with requests to /wp-admin/admin-ajax.php

[ottok]

Many plugins utilize the /wp-admin/admin-ajax.php to do API requests. Unfortunately official WP documentation recommends this as the way to define the URL of the admin-ajax.php:

    admin_url( 'admin-ajax.php' )

The function admin_url() calls get_admin_url() and it works in a way that we cannot inject easily there at the "root cause" of this problem: http://wpseek.com/get_admin_url/

We need some kind of workaround. There are two possible avenues:

1. Force all /wp-admin/admin-ajax.php urls to be root relative urls, thus avoiding any cross-site issues.

Perhaps combine this with is_admin() check to make sure that behaviour is intended when user has the admin area open or if the user browses the front-facing site.

2. Inject some CORS headers to allow e.g. http://site.com to access contents from https://site.example.com

    Access-Control-Allow-Origin: http://site.com/

This might however break some other policies or server settings, as defining such header() from a plugin might confuse many admins.