[wp-trac] [WordPress Trac] #50441: Allow CORS for RSS feed

Sat Jun 20 18:22:19 UTC 2020

#50441: Allow CORS for RSS feed
-------------------------+----------------------------------
 Reporter:  stokito      |      Owner:  (none)
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Feeds        |    Version:
 Severity:  major        |   Keywords:  needs-privacy-review
  Focuses:  javascript   |
-------------------------+----------------------------------
 I'm developing an in-browser RSS reader and want to get an RSS feed from
 my blog on WP.com but browser (both Chrome and FF) shows me the error:

 {{{
 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
 remote resource at https://wordpress.com/blog/feed/. (Reason: CORS header
 ‘Access-Control-Allow-Origin’ missing).
 }}}

 Here is a small example to reproduce:

 {{{
 <html>
 <head>
     <script src="https://unpkg.com/rss-parser/dist/rss-
 parser.min.js"></script>
     <script>
         let parser = new RSSParser();
         parser.parseURL('https://wordpress.com/blog/feed/', function(err,
 feed) {
             if (err) throw err;
             console.log(feed.title);
             feed.items.forEach(function(entry) {
                 console.log(entry);
             })
         })
     </script>
 </head>
 </html>
 }}}

 This is quite popular thing that a lot of peoples tries to do:
 https://www.google.com/search?q=wordpress+feed+cors

 That's one of the main reasons why most browser JS RSS readers requires to
 use a dedicated proxy server that will make a server to sever call to
 retrieve the RSS:

 * https://github.com/sdepold/jquery-rss proxies RSS fetch via Feedr.
 * https://github.com/enginkizil/FeedEk proxies RSS fetch via Feed API
 * https://github.com/rbren/rss-parser uses https://cors-
 anywhere.herokuapp.com

 The fix is easy:
 {{{
 add_action( 'pre_get_posts', 'add_header_origin' );

 function add_header_origin() {
         if (is_feed()){
                 header( 'Access-Control-Allow-Origin: *' );
         }
 }
 }}}

 But I wan't the fix to be added into WP trunk because my reader will
 mostly consume RSS from wordpress.com or many other WP blogs.

 It should be fine to allow CORS requests to feed. The only one problem is
 a security concern. Hacker can make a DDoS by pasting on some popular site
 an <img> tag with src to WP feed and this will produce a big load to WP
 instance.
 But here we can add a simple check: when browser requests an image it
 sends the header `Accept: image/webp,image/apng,image/*,*/*;q=0.8` while
 JS RSS headers can set the `Accept` header manually to
 `application/rss+xml`.

 Actually the rss-parser already sends the `Accept: application/rss+xml`.
 So on the server side we can just check that client requested exactly the
 feed and only then try to generate it.

 As far I see this is something really important (because already used
 workarounds) and it should be easy to implement and safe to enable by
 default. So I'll set Major severity.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50441>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform