WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 5 years ago

Last modified 5 years ago

#10671 closed enhancement (fixed)

Opt-out of content snuffing for admin ajax

Reported by: niallkennedy Owned by:
Milestone: 3.0 Priority: normal
Severity: normal Version: 2.8.4
Component: Administration Keywords: has-patch commit
Focuses: Cc:

Description

Browsers such as Internet Explorer include a MIME-sniffing feature that scans the beginning of a downloaded resource to determine the correct MIME render mode regardless of the Content-Type header. Internet Explorer 8 and Chromium allow page authors to opt-out of the sniff, asserting they don't need content to pass through such a feature.

Adding a HTTP Header of "X-Content-Type-Options: nosniff" eliminates the sniffing process, speeding up content rendering.

Opting-out of browser MIME sniff is especially beneficial on small Ajax payloads. Starting with admin-ajax.php and index-extra.php from wp-admin for that reason.

Attachments (3)

admin-ajax.diff (470 bytes) - added by niallkennedy 6 years ago.
Admin ajax processor with sniff opt-out HTTP header.
index-extra.diff (403 bytes) - added by niallkennedy 6 years ago.
Extra dashboard content ajax handler with sniff opt-out HTTP header.
10671.diff (827 bytes) - added by chrisscott 5 years ago.

Download all attachments as: .zip

Change History (10)

@niallkennedy6 years ago

Admin ajax processor with sniff opt-out HTTP header.

@niallkennedy6 years ago

Extra dashboard content ajax handler with sniff opt-out HTTP header.

comment:1 @niallkennedy6 years ago

  • Keywords has-patch added
  • Milestone changed from Unassigned to 2.8.5
  • Version set to 2.8.4

comment:2 @niallkennedy6 years ago

  • Milestone changed from 2.8.5 to 2.9

comment:3 @ryan6 years ago

  • Milestone changed from 2.9 to 3.0

@chrisscott5 years ago

comment:4 @chrisscott5 years ago

Combined these into one patch against r13299 in attachment:ticket:10671:10671.diff

Basic testing:

$ curl -I http://trunk.localhost.localdomain/wp-admin/admin-ajax.php?action=foo
HTTP/1.1 200 OK
Date: Mon, 22 Feb 2010 19:06:29 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8l DAV/2 PHP/5.3.0
X-Powered-By: PHP/5.3.0
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=UTF-8
$ curl -I -b [cookie file] http://trunk.localhost.localdomain/wp-admin/index-extra.php
HTTP/1.1 200 OK
Date: Mon, 22 Feb 2010 19:15:10 GMT
Server: Apache/2.2.13 (Unix) mod_ssl/2.2.13 OpenSSL/0.9.8l DAV/2 PHP/5.3.0
X-Powered-By: PHP/5.3.0
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Mon, 22 Feb 2010 19:15:10 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=UTF-8

comment:5 @nacin5 years ago

  • Keywords commit added; ajax removed

Looks good.

comment:6 @westi5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [13409]) Introduce send_nosniff_header() and use it to turn off content sniffing in supported browsers. Fixes #10671 props chrisscott and niallkennedy.

comment:7 @westi5 years ago

I changed it around a little to introduce a function to send the header so we only have the header definition in one place.

Note: See TracTickets for help on using tickets.