[wp-trac] [WordPress Trac] #41696: Content-Disposition header is blocked by CORS
WordPress Trac
noreply at wordpress.org
Tue Aug 22 01:51:05 UTC 2017
#41696: Content-Disposition header is blocked by CORS
--------------------------+-----------------------------
Reporter: rmccue | Owner:
Type: defect (bug) | Status: new
Priority: low | Milestone: Awaiting Review
Component: REST API | Version: 4.7
Severity: minor | Keywords: has-patch
Focuses: |
--------------------------+-----------------------------
The media upload endpoint in the REST API accepts files in two formats:
form data (`multipart/form-data`) and direct upload (`image/png` e.g.).
When uploading in direct format, the desired filename is passed in the
`Content-Disposition` header (e.g. `Content-Disposition: atttachment;
filename="file.jpg"`).
When sending requests across a cross-site boundary, browser preflight
requests only allow a certain subset of headers to be sent. We whitelist
`Authorization` and `Content-Type` in addition to the regular headers, but
neither `Content-Disposition` nor `Content-MD5` are permitted by default
or explicitly.
This means that a simple `fetch` using a File/Blob object (e.g. from an
`<input type="file" />` or HTML5 drag-and-drop) for the body will fail:
{{{
const url = `http://example.com/wp-json/wp/v2/media`;
const opts = {
method: 'POST',
headers: {
'Content-Disposition': 'attachment; filename="test.txt"',
}
body: new Blob( [ 'test data' ] ),
};
fetch( url, opts ).then( resp => console.log( resp ) );
}}}
However, this is allowed by packing the data into a FormData object
instead:
{{{
const url = `http://example.com/wp-json/wp/v2/media`;
const opts = {
method: 'POST',
};
opts.body = new FormData();
const file = new Blob( [ 'test data' ] );
file.name = 'test.txt';
opts.body.append( 'file', file );
fetch( url, opts ).then( resp => console.log( resp ) );
}}}
We should fix this inconsistency to allow for the simpler request format.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/41696>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list