WordPress.org

Make WordPress Core

Opened 3 months ago

Closed 4 weeks ago

Last modified 4 weeks ago

#46025 closed defect (bug) (fixed)

_json_wp_die_handler doesn't handle JSONP request

Reported by: spacedmonkey Owned by: spacedmonkey
Milestone: 5.2 Priority: normal
Severity: normal Version: 5.1
Component: Bootstrap/Load Keywords: has-patch needs-testing servehappy
Focuses: multisite Cc:

Description

Originally raised in #45933 , but the new wp_die handler _json_wp_die_handler doesn't support JSONP requests and returns invalid response. The rest api support returning JSONP responses, this handler should too.

Attachments (4)

46025.diff (2.2 KB) - added by spacedmonkey 3 months ago.
46025.2.diff (3.2 KB) - added by spacedmonkey 3 months ago.
46025.3.diff (3.2 KB) - added by spacedmonkey 3 months ago.
46025.4.diff (3.3 KB) - added by spacedmonkey 3 months ago.

Download all attachments as: .zip

Change History (27)

@spacedmonkey
3 months ago

This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.


3 months ago

#3 @pento
3 months ago

  • Milestone changed from Awaiting Review to 5.1

Setting Milestone to 5.1 for review.

This ticket was mentioned in Slack in #core-php by flixos90. View the logs.


3 months ago

#5 @flixos90
3 months ago

  • Owner set to spacedmonkey
  • Status changed from new to assigned

#6 @spacedmonkey
3 months ago

Added another handler for jsonp. Also add another function wp_is_jsonp_request.

Can you review please @flixos90

This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.


3 months ago

This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.


3 months ago

This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.


3 months ago

#10 @TimothyBlynJacobs
3 months ago

The REST API also sends an X-Content-Type-Options: nosniff header which is accompanied by this doc:

/*
 * Mitigate possible JSONP Flash attacks.
 *
 * https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
 */

Seems this should also be sent in this handler.

#11 @spacedmonkey
3 months ago

After feedback from @timothyblynjacobs I have added the following lines to add extra headers.

header( 'X-Content-Type-Options: nosniff' );
header( 'X-Robots-Tag: noindex' );

One fixes cors issue and one is SEO related.

#12 @flixos90
3 months ago

  • Milestone changed from 5.1 to 5.2

This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.


3 months ago

#14 @flixos90
5 weeks ago

  • Milestone changed from 5.2 to 5.3

#15 @flixos90
5 weeks ago

  • Milestone 5.3 deleted
  • Resolution set to invalid
  • Status changed from assigned to closed

This ticket is based on the old fatal error recovery mode implementation and will be covered as part of #46130.

This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.


5 weeks ago

#17 @spacedmonkey
5 weeks ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

Re-opened as still valid and should be another ticket an #46130.

#18 @SergeyBiryukov
4 weeks ago

  • Milestone set to 5.3

Restoring the milestone.

This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.


4 weeks ago

This ticket was mentioned in Slack in #core-php by spacedmonkey. View the logs.


4 weeks ago

#21 @SergeyBiryukov
4 weeks ago

  • Milestone changed from 5.3 to 5.2

Moving to 5.2, per the latest #core-php chat.

#22 @SergeyBiryukov
4 weeks ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 45015:

Bootstrap/Load: Add support for JSONP requests to wp_die().

In addition to AJAX, XML-RPC, and JSON requests, wp_die() now handles JSONP requests correctly, returning information in the expected content type.

Props spacedmonkey, TimothyBlynJacobs.
Fixes #46025. See #44458.

#23 @SergeyBiryukov
4 weeks ago

In 45017:

Docs: Improve documentation for wp_die() handlers after [45015] and [45016].

See #46543, #46025, #46026.

Note: See TracTickets for help on using tickets.