[wp-trac] [WordPress Trac] #28523: wp_send_json to allow for JSONP

Mon Jan 18 07:25:39 UTC 2016

#28523: wp_send_json to allow for JSONP
----------------------------------------+------------------------------
 Reporter:  sc0ttkclark                 |       Owner:  rmccue
     Type:  enhancement                 |      Status:  assigned
 Priority:  normal                      |   Milestone:  Awaiting Review
Component:  REST API                    |     Version:  3.5
 Severity:  normal                      |  Resolution:
 Keywords:  has-patch needs-unit-tests  |     Focuses:  javascript
----------------------------------------+------------------------------
Changes (by rmccue):

 * keywords:  needs-patch => has-patch needs-unit-tests
 * owner:   => rmccue
 * status:  new => assigned

Comment:

 Added patch to split the REST API JSONP callback validation code into a
 separate function, but nothing else. This allows plugins to use the built-
 in validation and is really just good practice anyway. I agree with @nacin
 that we don't really need a function to send JSONP in core (especially
 with the API infrastructure in).

 '''Extremely Important Note''': If you send JSONP in your custom response,
 '''make sure you prefix the response with `/**/`'''. This will mitigate
 the [https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
 Rosetta Flash] exploit. You should also send the `X-Content-Type-Options:
 nosniff` header, or even better, use the REST API infrastructure.

 With it split out, we should be able to unit test this now too.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/28523#comment:23>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform