[wp-trac] [WordPress Trac] #40426: Remove dns-prefetch of s.w.org domain
WordPress Trac
noreply at wordpress.org
Wed Apr 12 17:08:07 UTC 2017
#40426: Remove dns-prefetch of s.w.org domain
-------------------------+-----------------------------
Reporter: joelhardi | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
DNS prefetch for the emoji CDN in general-template.php is causing the link
tag {{{<link rel='dns-prefetch' href='//s.w.org' />}}} to be generated on
public-facing URLs such as the login/registration page wp-login.php.
This may trigger the user-agent to make a DNS lookup of this domain name
which would leak information (for instance) to a rogue DNS resolver. This
is a security/privacy concern because it enables discovery or profiling of
browsing behavior by anyone operating an upstream DNS resolver.
There does not seem to be a compelling reason to request a dns-prefetch of
'''any''' hardcoded domain names (even those owned by Automattic) -- I
don't believe it is desirable for WordPress core to trigger '''any'''
unnecessary external network activity by default. An HTTP request to a
third-party domain would be a more obvious example, but even a DNS lookup
of a FQDN can be used for tracking.
An alternate remedy would be to conditionally insert this <link> tag only
when external assets from s.w.org are required, but given the questionable
value that dns-prefetch of a CDN domain provides in normal environments
(browser, system or local DNS resolver is likely to have already cached
this DNS lookup, so dns-prefetch does nothing in the vast majority of page
loads) I'd suggest it's simpler to simply remove the hardcoded prefetch
insertion. Less code is better in this case.
Please see patch. This is also a net performance improvement since it
reduces page size and server processing, but that's secondary.
Plugins, themes or optional components such as emoji support can still
trigger resource hints such as prefetch independently, but hardcoding URLs
into general-template.php seems like a hack.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40426>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list