From 87ccd59dc09414c80413869e49ddf43d5271a9ac Mon Sep 17 00:00:00 2001
From: Bertrand Le Roy <bertrandleroy@gmail.com>
Date: Sun, 5 Jan 2014 16:11:33 -0800
Subject: [PATCH] SSL transitions from https to http should not be forced on
 Ajax requests, as they can result in mixed security, and cross-domain
 failures.

---
 .../Filters/SecureSocketsLayersFilter.cs                       | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/Orchard.Web/Modules/Orchard.SecureSocketsLayer/Filters/SecureSocketsLayersFilter.cs b/src/Orchard.Web/Modules/Orchard.SecureSocketsLayer/Filters/SecureSocketsLayersFilter.cs
index 01fd90de8..2d760b52c 100644
--- a/src/Orchard.Web/Modules/Orchard.SecureSocketsLayer/Filters/SecureSocketsLayersFilter.cs
+++ b/src/Orchard.Web/Modules/Orchard.SecureSocketsLayer/Filters/SecureSocketsLayersFilter.cs
@@ -53,7 +53,8 @@ namespace Orchard.SecureSocketsLayer.Filters {
 
             // non auth page on a secure canal
             // nb: needed as the ReturnUrl for LogOn doesn't force the scheme to http, and reuses the current one
-            if (!secure && request.IsSecureConnection) {
+            // Also don't force http on ajax requests.
+            if (!secure && request.IsSecureConnection && !request.IsAjaxRequest()) {
                 var insecureActionUrl = AppendQueryString(
                     request.QueryString,
                     _sslService.InsecureActionUrl(