Remove deflate/gzip compression from load-scripts.php / load-styles.php

[LucasRolff]

In WordPress trunk (and other WP versions after 2.8) the load-styles.php and load-scripts.php does deflate or gzip compression based on the Accept-Encoding header.

In the recent times where Brotli compression got introduced in various web servers, it can often result in double compression leading to bugs in browsers such as Safari that doesn't handle double compression at all.

Chrome, Firefox and Opera seem to decompress double compressed content over two steps and causes no issues (other than making the browser decompress twice).

However, safari will end up with the error "cannot decode raw data".

My suggestion would be to remove the whole compression part from wp-admin/load-styles.php and wp-admin/load-scripts.php

There's no reason to keep this around anymore, the majority of web servers these days already do the needed compression (deflate,gzip,br) and it's a lot better to handle on the web server level instead of within the application.

I can see that @azaozz submitted a patch in ticket #43308 in regards to CVE-2018-6389 - however, that patch never made it into a release.

[azaozz]

Brotli compression got introduced in various web servers, it can often result in double compression...

This is (generally) a problem with the compressor or its configuration. It shouldn't double-compress anything.

However we still need to remove the PHP based compression from load-styles.php and load-scripts.php as an improvement to the problems described in #43308. It is just too slow and takes a lot of server resources.

[LucasRolff]

Thanks for the quick reply @azaozz !

I've also opened a bug report with the web server software, so they'll handle the deflate issue - it seems that gzip <> Brotli conversion works fine, but deflate breaks it (which is the first one that the if condition checks for).

If it could already get into 4.9.9 that would be awesome!

Have an awesome day :)

[LucasRolff]

patch for ticket #44815

[azaozz]

In 43580:

Script loader: remove (PHP based) compression from load-styles.php and load-scripts.php. WIth the amount of scripts and stylesheets grown a lot over the years, it has become pretty slow and consumes a lot of server resources. Also, most servers are set to compress PHP output anyway.

Props LucasRolff, azaozz.

Fixes #44815.
See #43308.

[azaozz]

Reopen for 4.9.9.

[SergeyBiryukov]

In 43618:

Script loader: remove (PHP based) compression from load-styles.php and load-scripts.php. WIth the amount of scripts and stylesheets grown a lot over the years, it has become pretty slow and consumes a lot of server resources. Also, most servers are set to compress PHP output anyway.

Props LucasRolff, azaozz.
Merges [43580] to the 4.9 branch.
Fixes #44815. See #43308.

[pento]

Let's leave this in 4.9.9, it just needs to be merged into the 5.0 branch.

[SergeyBiryukov]

In 43697:

Script loader: remove (PHP based) compression from load-styles.php and load-scripts.php. WIth the amount of scripts and stylesheets grown a lot over the years, it has become pretty slow and consumes a lot of server resources. Also, most servers are set to compress PHP output anyway.

Props LucasRolff, azaozz.
Merges [43580] to the 5.0 branch.
Fixes #44815. See #43308.