[wp-trac] [WordPress Trac] #28523: wp_send_json to allow for JSONP
WordPress Trac
noreply at wordpress.org
Fri Jun 13 00:30:24 UTC 2014
#28523: wp_send_json to allow for JSONP
-------------------------+------------------------------
Reporter: sc0ttkclark | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 3.5
Severity: normal | Resolution:
Keywords: | Focuses:
-------------------------+------------------------------
Comment (by georgestephanis):
The comparison against `allowed_http_origins` is done via
`get_http_origin()` which relies on the `HTTP_ORIGIN` header -- which by
my understanding is unreliable at best, and not reliably supported cross-
browser. (happy to be wrong, just based off my cursory glance)
My entire thrust on all of this is that turning on JSONP for all existing
uses of `wp_send_json()` could (I think) potentially open up data leakage
from existing endpoints. If it's something that folks have to opt in to
when using the `wp_send_json()` function, whether by constant, filter, or
argument, I'm totally fine with it.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28523#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list