[wp-trac] [WordPress Trac] #46025: _json_wp_die_handler doesn't handle JSONP request

WordPress Trac noreply at wordpress.org
Mon Jan 28 17:35:44 UTC 2019

#46025: _json_wp_die_handler doesn't handle JSONP request
 Reporter:  spacedmonkey                        |       Owner:
                                                |  spacedmonkey
     Type:  defect (bug)                        |      Status:  assigned
 Priority:  normal                              |   Milestone:  5.1
Component:  Bootstrap/Load                      |     Version:  trunk
 Severity:  normal                              |  Resolution:
 Keywords:  has-patch needs-testing servehappy  |     Focuses:  multisite

Comment (by TimothyBlynJacobs):

 The REST API also sends an `X-Content-Type-Options: nosniff` header which
 is accompanied by this doc:

  * Mitigate possible JSONP Flash attacks.
  * https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/

 Seems this should also be sent in this handler.

Ticket URL: <https://core.trac.wordpress.org/ticket/46025#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list