[wp-trac] [WordPress Trac] #50441: Allow CORS for RSS feed
WordPress Trac
noreply at wordpress.org
Sat Jun 20 19:10:14 UTC 2020
#50441: Allow CORS for RSS feed
----------------------------------+------------------------------
Reporter: stokito | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Feeds | Version:
Severity: normal | Resolution:
Keywords: needs-privacy-review | Focuses: javascript
----------------------------------+------------------------------
Changes (by ayeshrajans):
* severity: major => normal
Comment:
Welcome to WordPress Trac, @stokito.
> The only one problem is a security concern. Hacker can make a DDoS by
pasting on some popular site an <img> tag with src to WP feed and this
will produce a big load to WP instance.
CORS doesn't protect the origins from DDoS attacks. Even without CORS
headers, an attacker can simply use an `img` tag with the src set to the
feed URL, and WordPress will happily serve the feed. The difference is
that the caller cannot __read__ the contents. Resources consumed in the
victims server will be the same because as far as I know, WordPress does
not serve different content with `accept` header negotiation.
I'm afraid the severity is used widely in WordPress trac to triage issues
that break existing sites, and because this is a new feature, a `major`
severity wouldn't help a lot for the other contributors.
It is not very common to serve CORS headers on feeds because
traditionally, RSS readers always proxied the content, or consumed them
server-side. At this point, I think this needs to be a decision the site
owner has to make.
I'm not a core maintainer, so lets wait for one to make the decisions. I
just wanted to put my thoughts forward.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50441#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list