WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#40917 closed defect (bug) (invalid)

Some HTTP headers are duplicated on admin-ajax.php responses

Reported by: EatonZ Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7.5
Component: Administration Keywords:
Focuses: Cc:

Description

When a request is sent via admin-ajax.php, the response consistently includes some duplicated HTTP headers.

This is likely related to IIS, as the site is running on IIS 8.5.

The following are the custom headers specified in my web.config file:

<customHeaders>
  <add name="Arr-Disable-Session-Affinity" value="true" />
  <add name="Referrer-Policy" value="no-referrer-when-downgrade" />
  <add name="X-Content-Type-Options" value="nosniff" />
  <add name="X-Frame-Options" value="SAMEORIGIN" />
  <add name="X-XSS-Protection" value="1; mode=block" />
  <remove name="X-Powered-By" />
</customHeaders>

Please refer to the attached screenshot. You can see that some of the custom headers I have specified get duplicated.

This looks to be a bug. Please let me know if you need anymore details.

Attachments (1)

Bug.png (17.8 KB) - added by EatonZ 4 years ago.
Duplicated HTTP response headers

Download all attachments as: .zip

Change History (2)

@EatonZ
4 years ago

Duplicated HTTP response headers

#1 @dd32
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi @EatonZ,

Unfortunately it looks like this is probably a "bug" in IIS - probably an expected scenario.

It looks like IIS simply appends the specified headers to whatever PHP outputs, which means WordPress is unable to detect that the headers are going to apply - We could parse the web.config file on each pageload, but that would be inefficient and likely not very precise.

The duplicated headers are not actually a problem for most clients, and given they're the same values shouldn't cause any issue.

I'm going to close this as invalid due to that, but if you're aware of a method that WordPress could avoid this scenario we could re-open it.

Note: See TracTickets for help on using tickets.