Make WordPress Core

Changeset 40805


Ignore:
Timestamp:
05/19/2017 08:26:48 PM (8 years ago)
Author:
jnylen0
Message:

REST API: Avoid sending blank Last-Modified headers with authenticated requests.

This commit adds a new WP_REST_Server#remove_header method and uses it to clear the Last-Modified header when the "no caching" headers are sent (by default for all authenticated REST API requests). This matches the behavior of the nocache_headers function used in other parts of WordPress.

Previously, the REST API would send an empty Last-Modified header in this situation. Under some server and browser configurations, this causes browsers to cache authenticated REST API requests, which is undesirable.

Props iv3rson76, zinigor, rmccue, jnylen0.
Fixes #40444.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/class-wp-rest-server.php

    r40238 r40805  
    253253        if ( $send_no_cache_headers ) {
    254254            foreach ( wp_get_nocache_headers() as $header => $header_value ) {
    255                 $this->send_header( $header, $header_value );
     255                if ( empty( $header_value ) ) {
     256                    $this->remove_header( $header );
     257                } else {
     258                    $this->send_header( $header, $header_value );
     259                }
    256260            }
    257261        }
     
    12641268
    12651269    /**
     1270     * Removes an HTTP header from the current response.
     1271     *
     1272     * @since 4.8.0
     1273     * @access public
     1274     *
     1275     * @param string $key Header key.
     1276     */
     1277    public function remove_header( $key ) {
     1278        if ( function_exists( 'header_remove' ) ) {
     1279            // In PHP 5.3+ there is a way to remove an already set header.
     1280            header_remove( $key );
     1281        } else {
     1282            // In PHP 5.2, send an empty header, but only as a last resort to
     1283            // override a header already sent.
     1284            foreach ( headers_list() as $header ) {
     1285                if ( 0 === stripos( $header, "$key:" ) ) {
     1286                    $this->send_header( $key, '' );
     1287                    break;
     1288                }
     1289            }
     1290        }
     1291    }
     1292
     1293    /**
    12661294     * Retrieves the raw request entity (body).
    12671295     *
  • trunk/tests/phpunit/includes/spy-rest-server.php

    r39343 r40805  
    3030    public function send_header( $header, $value ) {
    3131        $this->sent_headers[ $header ] = $value;
     32    }
     33
     34    public function remove_header( $header ) {
     35        unset( $this->sent_headers[ $header ] );
    3236    }
    3337
  • trunk/tests/phpunit/tests/rest-api/rest-server.php

    r40238 r40805  
    764764
    765765        foreach ( wp_get_nocache_headers() as $header => $value ) {
     766            if ( empty( $value ) ) {
     767                continue;
     768            }
     769
    766770            $this->assertTrue( isset( $headers[ $header ] ), sprintf( 'Header %s is not present in the response.', $header ) );
    767771            $this->assertEquals( $value, $headers[ $header ] );
    768772        }
     773
     774        // Last-Modified should be unset as per #WP23021
     775        $this->assertFalse( isset( $headers['Last-Modified'] ), 'Last-Modified should not be sent.' );
    769776    }
    770777
Note: See TracChangeset for help on using the changeset viewer.