WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 19 months ago

#41696 new defect (bug)

Content-Disposition header is blocked by CORS

Reported by: rmccue Owned by:
Milestone: Awaiting Review Priority: low
Severity: minor Version: 4.7
Component: REST API Keywords: has-patch
Focuses: Cc:
PR Number:

Description

The media upload endpoint in the REST API accepts files in two formats: form data (multipart/form-data) and direct upload (image/png e.g.). When uploading in direct format, the desired filename is passed in the Content-Disposition header (e.g. Content-Disposition: atttachment; filename="file.jpg").

When sending requests across a cross-site boundary, browser preflight requests only allow a certain subset of headers to be sent. We whitelist Authorization and Content-Type in addition to the regular headers, but neither Content-Disposition nor Content-MD5 are permitted by default or explicitly.

This means that a simple fetch using a File/Blob object (e.g. from an <input type="file" /> or HTML5 drag-and-drop) for the body will fail:

const url = `http://example.com/wp-json/wp/v2/media`;
const opts = {
	method: 'POST',
	headers: {
		'Content-Disposition': 'attachment; filename="test.txt"',
	}
	body: new Blob( [ 'test data' ] ),
};
fetch( url, opts ).then( resp => console.log( resp ) );

However, this is allowed by packing the data into a FormData object instead:

const url = `http://example.com/wp-json/wp/v2/media`;
const opts = {
	method: 'POST',
};
opts.body = new FormData();
const file = new Blob( [ 'test data' ] );
file.name = 'test.txt';
opts.body.append( 'file', file );
fetch( url, opts ).then( resp => console.log( resp ) );

We should fix this inconsistency to allow for the simpler request format.

Attachments (1)

41696.diff (1.3 KB) - added by rmccue 2 years ago.
Add Content-Disposition and Content-MD5 to allowed headers, and add filter to allow custom headers

Download all attachments as: .zip

Change History (2)

@rmccue
2 years ago

Add Content-Disposition and Content-MD5 to allowed headers, and add filter to allow custom headers

This ticket was mentioned in Slack in #core-restapi by dingo_d. View the logs.


19 months ago

Note: See TracTickets for help on using tickets.