[wp-trac] [WordPress Trac] #45477: Disable REST API reflection of request Origin header in response Access-Control-Allow-Origin

WordPress Trac noreply at wordpress.org
Wed Dec 5 20:53:31 UTC 2018 

#45477: Disable REST API reflection of request Origin header in response Access-
Control-Allow-Origin
-----------------------------------+------------------------------
 Reporter:  BjornW                 |       Owner:  (none)
     Type:  enhancement            |      Status:  new
 Priority:  normal                 |   Milestone:  Awaiting Review
Component:  REST API               |     Version:
 Severity:  normal                 |  Resolution:
 Keywords:  has-patch 2nd-opinion  |     Focuses:
-----------------------------------+------------------------------

Comment (by BjornW):

 Replying to [comment:7 slackbot]:
 > ''This ticket was mentioned in [https://make.wordpress.org/chat/ Slack]
 in #core-restapi by bjornw. [https://wordpress.slack.com/archives/core-
 restapi/p1544026019007600 View the logs].''

 Here's a short summary (for those not having access to Slack):

 The current behaviour of reflecting the incoming Origin as-is, is an
 intentional design decision (as mentioned
 [https://core.trac.wordpress.org/ticket/45477?replyto=7#comment:5 before]
 and according to @rmccue:

 ''"tl;dr: CORS is built for CSRF protection, but WordPress already has a
 system for that (nonces), so we "disable" CORS as it gets in the way of
 alternative authentication schemes"''

 I don't understand why verification of an Origin would stand in the way of
 alternative authentication schemes?

 The current view of WordPress on the REST API is according to @rmccue:

 ''"it's a design decision to expose data from the REST API to all origins;
 you should be able to override in plugins easily"''

 And my plugin (I'm sure there are more) does this.

 Personally I'd expect WordPress to verify Origins before sending CORS
 headers by default. Instead it's intentionally open to any Origin by
 default. I disagree with this, but I agree to disagree.

 PS: As far as I know this behavior was not documented anywhere in the REST
 API handbook or FAQ. I've opened up a [https://github.com/WP-
 API/docs/pull/38 pull-request] to remedy this by adding it to the FAQ.
 Hopefully this saves people some time.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/45477#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list