[wp-trac] [WordPress Trac] #32126: XML-RPC stopped working with 4.2 in a cross-domain scenario
WordPress Trac
noreply at wordpress.org
Mon Jun 29 02:39:43 UTC 2015
#32126: XML-RPC stopped working with 4.2 in a cross-domain scenario
--------------------------+------------------------------
Reporter: flymike | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: XML-RPC | Version: 4.2
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------+------------------------------
Description changed by dd32:
Old description:
> Bug fix 20986 in wp-includes/class-IXR.php unconditionally returns status
> 405 to all request methods except POST. Additionally, an invalid Allow:
> header is returned.
>
> But OPTIONS is a perfectly valid preflight request sent by XML-RPC
> clients, especially in a cross-domain scenario, to determine if a
> subsequent request (like POST) will be allowed - or if a cross-domain
> request will be allowed.
> Unconditionally returning 405 prevents those clients from subsequently
> sending their POST request. This broke my XML-RPC client, which
> previously worked in 4.1.3.
>
> Proposed fix: respond correctly to an OPTIONS request, by examining (any)
> Access-Control-Request-Methods: header for PUT, and returning an Access-
> Control-Allowed-Methods: header containing PUT with status 200.
>
> Request for enhancement: fully support CORS by adding an admin dialog
> which defines what hosts (or none, or all) will be accepted for cross-
> domain requests, and return the appropriate Access-Control-Allow-Origin:
> header.
New description:
Bug fix #20986 in wp-includes/class-IXR.php unconditionally returns status
405 to all request methods except POST. Additionally, an invalid Allow:
header is returned.
But OPTIONS is a perfectly valid preflight request sent by XML-RPC
clients, especially in a cross-domain scenario, to determine if a
subsequent request (like POST) will be allowed - or if a cross-domain
request will be allowed.
Unconditionally returning 405 prevents those clients from subsequently
sending their POST request. This broke my XML-RPC client, which
previously worked in 4.1.3.
Proposed fix: respond correctly to an OPTIONS request, by examining (any)
Access-Control-Request-Methods: header for PUT, and returning an Access-
Control-Allowed-Methods: header containing PUT with status 200.
Request for enhancement: fully support CORS by adding an admin dialog
which defines what hosts (or none, or all) will be accepted for cross-
domain requests, and return the appropriate Access-Control-Allow-Origin:
header.
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32126#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list