[wp-trac] [WordPress Trac] #50441: Allow CORS for RSS feed

WordPress Trac noreply at wordpress.org
Sat Jun 20 20:05:06 UTC 2020 

#50441: Allow CORS for RSS feed
----------------------------------+------------------------------
 Reporter:  stokito               |       Owner:  (none)
     Type:  enhancement           |      Status:  new
 Priority:  normal                |   Milestone:  Awaiting Review
Component:  Feeds                 |     Version:
 Severity:  normal                |  Resolution:
 Keywords:  needs-privacy-review  |     Focuses:  javascript
----------------------------------+------------------------------

Comment (by stokito):

 Thank you Ayesh, good points. If WP works as you explained then this check
 for requested type should be added anyway. Or it may be implemented on
 some global filter/interceptor level: if request contains `Accept:
 image/*` but it requested not an image then decline it.
 This doesn't protects for XSS with JS but at least it will protect from
 image tags on forum comments (like here) because src are not checked (they
 can actually check only that the url have extension png/jpg/webp).

 I guess that browser may close connection after it received headers (and
 checked that there no cors-allow) so probably one of possible solutions
 may be to flush headers before generating payload.

 Anyway, the fix is already used by a lot of peoples and there wasn't any
 problems.

 > traditionally, RSS readers always proxied the content, or consumed them
 server-side. At this point, I think this needs to be a decision the site
 owner has to make.

 I guess this is "Chicken or the egg" problem here: people have to use a
 special RSS reader programs (which are almost all ugly) or use aggregators
 like Google Reader (that was killed to force users to use spying and
 addictive social networks) and Feedly.
 WP is a biggest RSS producer in a Web. So just having CORS enabled will
 open a road for thousands of Web based RSS readers, like I trying to make
 for myself. My reader will save my subscriptions in browsers localStorage
 and fetch RSS directly without any spying aggregator's backend.

 Site owners should be only happy that more peoples reads their content.

 But here may come another problem: while there is only dozen of RSS
 aggregators and only several thousands of desktop/mobile RSS readers
 nobody ever had a huge load on RSS. So proper paging and caching should be
 implemented on browser side, but that already implemented and works fine
 out of the box.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50441#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list