WordPress.org

Make WordPress Core

Changeset 40805


Ignore:
Timestamp:
05/19/17 20:26:48 (6 months ago)
Author:
jnylen0
Message:

REST API: Avoid sending blank Last-Modified headers with authenticated requests.

This commit adds a new WP_REST_Server#remove_header method and uses it to clear the Last-Modified header when the "no caching" headers are sent (by default for all authenticated REST API requests). This matches the behavior of the nocache_headers function used in other parts of WordPress.

Previously, the REST API would send an empty Last-Modified header in this situation. Under some server and browser configurations, this causes browsers to cache authenticated REST API requests, which is undesirable.

Props iv3rson76, zinigor, rmccue, jnylen0.
Fixes #40444.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/class-wp-rest-server.php

    r40238 r40805  
    253253        if ( $send_no_cache_headers ) { 
    254254            foreach ( wp_get_nocache_headers() as $header => $header_value ) { 
    255                 $this->send_header( $header, $header_value ); 
     255                if ( empty( $header_value ) ) { 
     256                    $this->remove_header( $header ); 
     257                } else { 
     258                    $this->send_header( $header, $header_value ); 
     259                } 
    256260            } 
    257261        } 
     
    12641268 
    12651269    /** 
     1270     * Removes an HTTP header from the current response. 
     1271     * 
     1272     * @since 4.8.0 
     1273     * @access public 
     1274     * 
     1275     * @param string $key Header key. 
     1276     */ 
     1277    public function remove_header( $key ) { 
     1278        if ( function_exists( 'header_remove' ) ) { 
     1279            // In PHP 5.3+ there is a way to remove an already set header. 
     1280            header_remove( $key ); 
     1281        } else { 
     1282            // In PHP 5.2, send an empty header, but only as a last resort to 
     1283            // override a header already sent. 
     1284            foreach ( headers_list() as $header ) { 
     1285                if ( 0 === stripos( $header, "$key:" ) ) { 
     1286                    $this->send_header( $key, '' ); 
     1287                    break; 
     1288                } 
     1289            } 
     1290        } 
     1291    } 
     1292 
     1293    /** 
    12661294     * Retrieves the raw request entity (body). 
    12671295     * 
  • trunk/tests/phpunit/includes/spy-rest-server.php

    r39343 r40805  
    3030    public function send_header( $header, $value ) { 
    3131        $this->sent_headers[ $header ] = $value; 
     32    } 
     33 
     34    public function remove_header( $header ) { 
     35        unset( $this->sent_headers[ $header ] ); 
    3236    } 
    3337 
  • trunk/tests/phpunit/tests/rest-api/rest-server.php

    r40238 r40805  
    764764 
    765765        foreach ( wp_get_nocache_headers() as $header => $value ) { 
     766            if ( empty( $value ) ) { 
     767                continue; 
     768            } 
     769 
    766770            $this->assertTrue( isset( $headers[ $header ] ), sprintf( 'Header %s is not present in the response.', $header ) ); 
    767771            $this->assertEquals( $value, $headers[ $header ] ); 
    768772        } 
     773 
     774        // Last-Modified should be unset as per #WP23021 
     775        $this->assertFalse( isset( $headers['Last-Modified'] ), 'Last-Modified should not be sent.' ); 
    769776    } 
    770777 
Note: See TracChangeset for help on using the changeset viewer.