[wp-trac] [WordPress Trac] #44815: Remove deflate/gzip compression from load-scripts.php / load-styles.php
WordPress Trac
noreply at wordpress.org
Sun Aug 19 17:24:56 UTC 2018
#44815: Remove deflate/gzip compression from load-scripts.php / load-styles.php
--------------------------------+-----------------------------
Reporter: LucasRolff | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version: trunk
Severity: normal | Keywords: needs-patch
Focuses: ui, administration |
--------------------------------+-----------------------------
In WordPress trunk (and other WP versions after 2.8) the load-styles.php
and load-scripts.php does deflate or gzip compression based on the Accept-
Encoding header.
In the recent times where Brotli compression got introduced in various web
servers, it can often result in double compression leading to bugs in
browsers such as Safari that doesn't handle double compression at all.
Chrome, Firefox and Opera seem to decompress double compressed content
over two steps and causes no issues (other than making the browser
decompress twice).
However, safari will end up with the error "cannot decode raw data".
My suggestion would be to remove the whole compression part from wp-admin
/load-styles.php and wp-admin/load-scripts.php
There's no reason to keep this around anymore, the majority of web servers
these days already do the needed compression (deflate,gzip,br) and it's a
lot better to handle on the web server level instead of within the
application.
I can see that @azaozz submitted a patch in ticket
[https://core.trac.wordpress.org/ticket/43308 #43308] in regards to
CVE-2018-6389 - however, that patch never made it into a release.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44815>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list