[wp-trac] [WordPress Trac] #32126: XML-RPC stopped working with 4.2 in a cross-domain scenario

Fri Apr 24 19:15:37 UTC 2015

#32126: XML-RPC stopped working with 4.2 in a cross-domain scenario
--------------------------+-----------------------------
 Reporter:  flymike       |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  XML-RPC       |    Version:  4.2
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Bug fix 20986 in wp-includes/class-IXR.php unconditionally returns status
 405 to all request methods except POST.  Additionally, an invalid Allow:
 header is returned.

 But OPTIONS is a perfectly valid preflight request sent by XML-RPC
 clients, especially in a cross-domain scenario, to determine if a
 subsequent request (like POST) will be allowed - or if a cross-domain
 request will be allowed.
 Unconditionally returning 405 prevents those clients from subsequently
 sending their POST request.  This broke my XML-RPC client, which
 previously worked in 4.1.3.

 Proposed fix: respond correctly to an OPTIONS request, by examining (any)
 Access-Control-Request-Methods: header for PUT, and returning an Access-
 Control-Allowed-Methods: header containing PUT with status 200.

 Request for enhancement: fully support CORS by adding an admin dialog
 which defines what hosts (or none, or all) will be accepted for cross-
 domain requests, and return the appropriate Access-Control-Allow-Origin:
 header.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/32126>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform