[wp-trac] [WordPress Trac] #45477: Disable REST API reflection of request Origin header in response Access-Control-Allow-Origin
WordPress Trac
noreply at wordpress.org
Wed Dec 5 15:58:52 UTC 2018
#45477: Disable REST API reflection of request Origin header in response Access-
Control-Allow-Origin
-----------------------------------+------------------------------
Reporter: BjornW | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version:
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion | Focuses:
-----------------------------------+------------------------------
Comment (by BjornW):
@swissspidy and I had a quick chat about this.
@swissspidy: According to older HackerOne reports WordPress should not be
vulnerable to exploitation of this due to WordPress requiring a nonce to
be sent with each request.
@bjornw: However I worry about plugins adding end-points and making
mistakes. My patch makes sure only Allowed Origins are sent the proper
headers. Which seems like a good idea to me.
I'm not a CORS expert and it is rather complex, and I also understand the
need for a user-friendly default for WordPress, but I'd suggest we at
least reconsider the current implementation and see if it is still the
best option. Especially since the REST API cannot be easily switched off
anymore with Gutenberg out.
Other projects had a similar implementation (I don't know if they used
nonces) and considered it an issue:
- https://www.npmjs.com/advisories/148
- https://web-in-security.blogspot.com/2017/07/cors-misconfigurations-on-
large-scale.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014
Why should we allow any Origin to get the CORS headers without
verification? Is there something I've overlooked?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45477#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list