class-wp-rest-server sends response body regardless of actual response code or result type

[matthias.thiel]

The WP Rest Server always echoes the result of wp_json_encode unless there is an error.

See line 410 of class-wp-rest-server.php

echo $result;

A use case where this leads to an undesired behaviour is when using the HTTP Status Code 204 which implies no response body being sent. Returning a rest response with a status code 204 will send a body at the moment.

There are two problems with this behaviour:

1. A response status 204 should not send any body content
2. A response data of null (new \WP_REST_Response( null, 204 )) will be sent as the (string) null

Most clients are pretty forgiving and will ignore the request body but MacOS Safari will not complete the request in this situation and will try to parse the null response as JSON. I found the behaviour is also server configuration specific as some configurations will strip the response body automatically and some will not.

Since there is no consistency in treating a 204 response by servers and browsers, I would suggest to stick to the spec (​https://tools.ietf.org/search/rfc2616#section-4.3) and not return a response at all.

I can see two ways to achieve this:

1. Consult the response status to decide whether or not to return a response body, which is spec compliant
2. Consult the response data and treat null by not sending a response body, which honours the semantic of null.

[TimothyBlynJacobs]

There is a related Gutenberg ticket, ​https://github.com/WordPress/gutenberg/pull/11208

Handling null is probably the safest way to go. It is hard to see a reason why someone would expect the string "null" to appear in the response body when using the null type in PHP and as such is least likely to cause a BC break.

We could also consider adding a _doing_it_wrong if a response body is sent with a 204 response code.

[andizer]

Remove the 410, 451 types which actually can have a body.

[TimothyBlynJacobs]

Thanks for the patch @andizer!

After discussing in #core-restapi, I think it makes sense to drop the _doing_it_wrong if people are sending null without using the 204 response code and instead return null there as well.

Do you want to work on unit tests for this?

[kadamwhite]

In 45809:

REST API: Do not send response body if status is 204 or body is null.

Status code 204 should indicate no response body is sent. Previously, a "null" string was sent, which MacOS Safari would try to parse as JSON and thereby fail to complete the request.

Props TimothyBlynJacobs, andizer, matthias.thiel.
Fixes #43691.