Opened 12 years ago
Closed 12 years ago
#21024 closed enhancement (fixed)
send_origin_headers for admin-ajax
Reported by: | batmoo | Owned by: | ryan |
---|---|---|---|
Milestone: | 3.5 | Priority: | normal |
Severity: | normal | Version: | |
Component: | General | Keywords: | has-patch needs-testing commit |
Focuses: | Cc: |
Description
admin-ajax should allow cross-domain requests for known domains using by sending the correct Access-Control-Allow-Origin
headers using send_origin_headers()
.
Note that the pre-flighted OPTIONS
request that browsers make to check if the origin is allowed, does not send the necessary params (specifically "action"), which means that admin-ajax's if ( empty( $_REQUEST['action'] ) )
check causes the request to fail so that needs to be accounted for.
We should also send the Access-Control-Allow-Credentials: true
header to allow authenticated cross-domain requests via the withCredentials: true
flag. Maybe this can be an argument for send_origin_headers
?
Attachments (3)
Change History (13)
#2
@
12 years ago
send_origin_headers() already sends Access-Control-Allow-Credentials: true
automatically, so that's easy.
In order to get around the check for $_REQUEST['action']
we could detect the OPTIONS request, or if just move the check to after wp-load.php and send_origin_headers().
I wonder if send_origin_headers() should be issuing a die() if the request method is OPTIONS. Otherwise, I'm pretty sure, we risk executing a request twice. Not a big issue when dealing with previews in the customizer, but certainly a problem with many/most/all ajax requests.
#3
@
12 years ago
- Keywords has-patch needs-testing added
21024.diff is my attempt to implement a simplified version of the attempted server-side access control listed here on MDN: https://developer.mozilla.org/En/Server-Side_Access_Control. Unverified, untested.
#5
@
12 years ago
- Owner set to ryan
- Resolution set to fixed
- Status changed from new to closed
In [21988]:
#6
@
12 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
And now for the admin-ajax bits.
#7
@
12 years ago
- Status changed from reopened to assigned
Two options. Check twice for $_REQUEST['action']
, that way we can bail for non-OPTIONS requests before wp-load.php runs. Or just ignore the potential benefit to not loading WordPress.
#8
@
12 years ago
- Keywords commit added
Commit candidate. Needs proper testing. Leaving this up to ryan.
We discussed this during 3.4 — this is a very good idea.