Make WordPress Core

Opened 7 years ago

Closed 4 years ago

Last modified 4 years ago

#41696 closed defect (bug) (fixed)

Content-Disposition header is blocked by CORS

Reported by: rmccue's profile rmccue Owned by: timothyblynjacobs's profile TimothyBlynJacobs
Milestone: 5.5 Priority: low
Severity: minor Version: 4.7
Component: REST API Keywords: has-patch
Focuses: Cc:


The media upload endpoint in the REST API accepts files in two formats: form data (multipart/form-data) and direct upload (image/png e.g.). When uploading in direct format, the desired filename is passed in the Content-Disposition header (e.g. Content-Disposition: atttachment; filename="file.jpg").

When sending requests across a cross-site boundary, browser preflight requests only allow a certain subset of headers to be sent. We whitelist Authorization and Content-Type in addition to the regular headers, but neither Content-Disposition nor Content-MD5 are permitted by default or explicitly.

This means that a simple fetch using a File/Blob object (e.g. from an <input type="file" /> or HTML5 drag-and-drop) for the body will fail:

const url = ``;
const opts = {
	method: 'POST',
	headers: {
		'Content-Disposition': 'attachment; filename="test.txt"',
	body: new Blob( [ 'test data' ] ),
fetch( url, opts ).then( resp => console.log( resp ) );

However, this is allowed by packing the data into a FormData object instead:

const url = ``;
const opts = {
	method: 'POST',
opts.body = new FormData();
const file = new Blob( [ 'test data' ] ); = 'test.txt';
opts.body.append( 'file', file );
fetch( url, opts ).then( resp => console.log( resp ) );

We should fix this inconsistency to allow for the simpler request format.

Attachments (1)

41696.diff (1.3 KB) - added by rmccue 7 years ago.
Add Content-Disposition and Content-MD5 to allowed headers, and add filter to allow custom headers

Download all attachments as: .zip

Change History (6)

7 years ago

Add Content-Disposition and Content-MD5 to allowed headers, and add filter to allow custom headers

This ticket was mentioned in Slack in #core-restapi by dingo_d. View the logs.

6 years ago

#3 @TimothyBlynJacobs
4 years ago

  • Milestone changed from Awaiting Review to 5.5

Adding this to 5.5 to accompany #50369. I've added a PR that is the same as 41696.diff but without the short array syntax and I've added the X-WP-Nonce header. Passing the nonce was already possible through the _wpnonce query parameter, but I think its worthwhile to have parity. wp.apiFetch also uses the X-WP-Nonce header.

#4 @TimothyBlynJacobs
4 years ago

  • Owner set to TimothyBlynJacobs
  • Resolution set to fixed
  • Status changed from new to closed

In 48452:

REST API: Add Content-Disposition, Content-MD5 and X-WP-Nonce as allowed cors headers.

The Content-Disposition and Content-MD5 headers allow for easier file uploading across domains by using a File/Blob object directly. The X-WP-Nonce header is allowed for making cross-origin and same-origin authenticated requests consistent.

Additionally a filter is introduced, "rest_allowed_cors_headers", to simplify the process of allowing additional request headers.

Props rmccue, TimothyBlynJacobs.
Fixes #41696.

TimothyBJacobs commented on PR #344:

4 years ago

This was merged.

Note: See TracTickets for help on using tickets.