[wp-trac] [WordPress Trac] #38446: Deprecate the rest_enabled filter

WordPress Trac noreply at wordpress.org
Mon Oct 24 02:04:16 UTC 2016 

#38446: Deprecate the rest_enabled filter
-------------------------------------------------+-------------------------
 Reporter:  pento                                |       Owner:
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  4.7
Component:  REST API                             |     Version:
 Severity:  normal                               |  Resolution:
 Keywords:  needs-patch needs-unit-tests needs-  |     Focuses:
  docs needs-dev-note                            |
-------------------------------------------------+-------------------------

Comment (by pento):

 Replying to [comment:7 rmccue]:
 > 1. I think we should give people enough rope to hang themselves if they
 really want.

 Conversely, they already have plenty of ways to explode their site, they
 don't really need one more.

 > The fact is that the REST API does introduce a new attack surface (the
 Flash XSS exploit for example).

 Everything we do introduces a new attack surface, but we don't add an off
 button for each feature. If a REST API vulnerability is discovered, a Core
 auto update is far more efficient at protecting sites than a filter to
 disable the REST API.

 > 2. The admin should be designed to work without JavaScript, and hence
 without the REST API. For people that disable the API, the progressive
 enhancement should drop back to standard interactions.

 There are already significant parts that either require JS (the
 Customizer), or the no-js fallback is barely usable (the post editor). As
 more development moves to a JS first (or JS only) model, I expect the
 balance to tip more in a Customizer direction. Indeed, as the Customizer
 moves to using the REST API, disabling the API (or particular endpoints)
 will cause all sorts of exciting behaviour.

 > That said, there is a way to remove the endpoints without needing to use
 this filter:
 > {{{
 > remove_action( 'rest_api_init', 'create_initial_rest_routes', 99 );
 > }}}
 >
 > I think we should start publicising this method rather than the
 sledgehammer that is `rest_enabled`.

 Per discussion on #38339, removing the core endpoints is just as bad, we
 shouldn't be encouraging that.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38446#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list