[wp-trac] [WordPress Trac] #28523: wp_send_json to allow for JSONP
WordPress Trac
noreply at wordpress.org
Fri Jun 13 03:24:21 UTC 2014
#28523: wp_send_json to allow for JSONP
-------------------------+------------------------------
Reporter: sc0ttkclark | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 3.5
Severity: normal | Resolution:
Keywords: | Focuses:
-------------------------+------------------------------
Comment (by rmccue):
Replying to [comment:10 georgestephanis]:
> The comparison against `allowed_http_origins` is done via
`get_http_origin()` which relies on the `HTTP_ORIGIN` header -- which by
my understanding is unreliable at best, and not reliably supported cross-
browser. (happy to be wrong, just based off my cursory glance)
Supported in IE 8+ (10+ for full support), Chrome 4+, Firefox 3.5+, Opera
12+ and Safari 4+. ([http://caniuse.com/cors caniuse],
[https://developer.mozilla.org/en-
US/docs/Web/HTTP/Access_control_CORS#Browser_compatibility MDN]).
That said, there are potential security issues of allowing users to do
this; callbacks need to be properly sanitized and checked. Allowing
`wp_send_json` to include this callback argument while also checking it
(with the aforementioned function) would be the best scenario, IMO.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28523#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list