[wp-trac] [WordPress Trac] #50441: Allow CORS for RSS feed
WordPress Trac
noreply at wordpress.org
Sat Jun 20 18:22:19 UTC 2020
#50441: Allow CORS for RSS feed
-------------------------+----------------------------------
Reporter: stokito | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Feeds | Version:
Severity: major | Keywords: needs-privacy-review
Focuses: javascript |
-------------------------+----------------------------------
I'm developing an in-browser RSS reader and want to get an RSS feed from
my blog on WP.com but browser (both Chrome and FF) shows me the error:
{{{
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
remote resource at https://wordpress.com/blog/feed/. (Reason: CORS header
‘Access-Control-Allow-Origin’ missing).
}}}
Here is a small example to reproduce:
{{{
<html>
<head>
<script src="https://unpkg.com/rss-parser/dist/rss-
parser.min.js"></script>
<script>
let parser = new RSSParser();
parser.parseURL('https://wordpress.com/blog/feed/', function(err,
feed) {
if (err) throw err;
console.log(feed.title);
feed.items.forEach(function(entry) {
console.log(entry);
})
})
</script>
</head>
</html>
}}}
This is quite popular thing that a lot of peoples tries to do:
https://www.google.com/search?q=wordpress+feed+cors
That's one of the main reasons why most browser JS RSS readers requires to
use a dedicated proxy server that will make a server to sever call to
retrieve the RSS:
* https://github.com/sdepold/jquery-rss proxies RSS fetch via Feedr.
* https://github.com/enginkizil/FeedEk proxies RSS fetch via Feed API
* https://github.com/rbren/rss-parser uses https://cors-
anywhere.herokuapp.com
The fix is easy:
{{{
add_action( 'pre_get_posts', 'add_header_origin' );
function add_header_origin() {
if (is_feed()){
header( 'Access-Control-Allow-Origin: *' );
}
}
}}}
But I wan't the fix to be added into WP trunk because my reader will
mostly consume RSS from wordpress.com or many other WP blogs.
It should be fine to allow CORS requests to feed. The only one problem is
a security concern. Hacker can make a DDoS by pasting on some popular site
an <img> tag with src to WP feed and this will produce a big load to WP
instance.
But here we can add a simple check: when browser requests an image it
sends the header `Accept: image/webp,image/apng,image/*,*/*;q=0.8` while
JS RSS headers can set the `Accept` header manually to
`application/rss+xml`.
Actually the rss-parser already sends the `Accept: application/rss+xml`.
So on the server side we can just check that client requested exactly the
feed and only then try to generate it.
As far I see this is something really important (because already used
workarounds) and it should be easy to implement and safe to enable by
default. So I'll set Major severity.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50441>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list