WordPress.org

Make WordPress Core

Opened 4 weeks ago

Last modified 12 days ago

#46025 assigned defect (bug)

_json_wp_die_handler doesn't handle JSONP request

Reported by: spacedmonkey Owned by: spacedmonkey
Milestone: 5.2 Priority: normal
Severity: normal Version: trunk
Component: Bootstrap/Load Keywords: has-patch needs-testing servehappy
Focuses: multisite Cc:

Description

Originally raised in #45933 , but the new wp_die handler _json_wp_die_handler doesn't support JSONP requests and returns invalid response. The rest api support returning JSONP responses, this handler should too.

Attachments (4)

46025.diff (2.2 KB) - added by spacedmonkey 4 weeks ago.
46025.2.diff (3.2 KB) - added by spacedmonkey 4 weeks ago.
46025.3.diff (3.2 KB) - added by spacedmonkey 4 weeks ago.
46025.4.diff (3.3 KB) - added by spacedmonkey 3 weeks ago.

Download all attachments as: .zip

Change History (17)

@spacedmonkey
4 weeks ago

This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.


4 weeks ago

#3 @pento
4 weeks ago

  • Milestone changed from Awaiting Review to 5.1

Setting Milestone to 5.1 for review.

This ticket was mentioned in Slack in #core-php by flixos90. View the logs.


4 weeks ago

#5 @flixos90
4 weeks ago

  • Owner set to spacedmonkey
  • Status changed from new to assigned

@spacedmonkey
4 weeks ago

#6 @spacedmonkey
4 weeks ago

Added another handler for jsonp. Also add another function wp_is_jsonp_request.

Can you review please @flixos90

This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.


4 weeks ago

@spacedmonkey
4 weeks ago

This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.


3 weeks ago

This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.


3 weeks ago

#10 @TimothyBlynJacobs
3 weeks ago

The REST API also sends an X-Content-Type-Options: nosniff header which is accompanied by this doc:

/*
 * Mitigate possible JSONP Flash attacks.
 *
 * https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
 */

Seems this should also be sent in this handler.

@spacedmonkey
3 weeks ago

#11 @spacedmonkey
3 weeks ago

After feedback from @timothyblynjacobs I have added the following lines to add extra headers.

header( 'X-Content-Type-Options: nosniff' );
header( 'X-Robots-Tag: noindex' );

One fixes cors issue and one is SEO related.

#12 @flixos90
2 weeks ago

  • Milestone changed from 5.1 to 5.2

This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.


12 days ago

Note: See TracTickets for help on using tickets.