[wp-trac] [WordPress Trac] #45477: Disable REST API reflection of request Origin header in response Access-Control-Allow-Origin

WordPress Trac noreply at wordpress.org
Wed Dec 5 15:58:52 UTC 2018


#45477: Disable REST API reflection of request Origin header in response Access-
Control-Allow-Origin
-----------------------------------+------------------------------
 Reporter:  BjornW                 |       Owner:  (none)
     Type:  enhancement            |      Status:  new
 Priority:  normal                 |   Milestone:  Awaiting Review
Component:  REST API               |     Version:
 Severity:  normal                 |  Resolution:
 Keywords:  has-patch 2nd-opinion  |     Focuses:
-----------------------------------+------------------------------

Comment (by BjornW):

 @swissspidy and I had a quick chat about this.


 @swissspidy: According to older HackerOne reports WordPress should not be
 vulnerable to exploitation of this due to WordPress requiring a nonce to
 be sent with each request.

 @bjornw: However I worry about plugins adding end-points and making
 mistakes. My patch makes sure only Allowed Origins are sent the proper
 headers. Which seems like a good idea to me.
 I'm not a CORS expert and it is rather complex, and I also understand the
 need for a user-friendly default for WordPress, but I'd suggest we at
 least reconsider the current implementation and see if it is still the
 best option. Especially since the REST API cannot be easily switched off
 anymore with Gutenberg out.

 Other projects had a similar implementation (I don't know if they used
 nonces) and considered it an issue:

 - https://www.npmjs.com/advisories/148
 - https://web-in-security.blogspot.com/2017/07/cors-misconfigurations-on-
 large-scale.html
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014

 Why should we allow any Origin to get the CORS headers without
 verification? Is there something I've overlooked?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/45477#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list