[wp-trac] [WordPress Trac] #50441: Allow CORS for RSS feed
WordPress Trac
noreply at wordpress.org
Sat Jun 20 20:05:06 UTC 2020
#50441: Allow CORS for RSS feed
----------------------------------+------------------------------
Reporter: stokito | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Feeds | Version:
Severity: normal | Resolution:
Keywords: needs-privacy-review | Focuses: javascript
----------------------------------+------------------------------
Comment (by stokito):
Thank you Ayesh, good points. If WP works as you explained then this check
for requested type should be added anyway. Or it may be implemented on
some global filter/interceptor level: if request contains `Accept:
image/*` but it requested not an image then decline it.
This doesn't protects for XSS with JS but at least it will protect from
image tags on forum comments (like here) because src are not checked (they
can actually check only that the url have extension png/jpg/webp).
I guess that browser may close connection after it received headers (and
checked that there no cors-allow) so probably one of possible solutions
may be to flush headers before generating payload.
Anyway, the fix is already used by a lot of peoples and there wasn't any
problems.
> traditionally, RSS readers always proxied the content, or consumed them
server-side. At this point, I think this needs to be a decision the site
owner has to make.
I guess this is "Chicken or the egg" problem here: people have to use a
special RSS reader programs (which are almost all ugly) or use aggregators
like Google Reader (that was killed to force users to use spying and
addictive social networks) and Feedly.
WP is a biggest RSS producer in a Web. So just having CORS enabled will
open a road for thousands of Web based RSS readers, like I trying to make
for myself. My reader will save my subscriptions in browsers localStorage
and fetch RSS directly without any spying aggregator's backend.
Site owners should be only happy that more peoples reads their content.
But here may come another problem: while there is only dozen of RSS
aggregators and only several thousands of desktop/mobile RSS readers
nobody ever had a huge load on RSS. So proper paging and caching should be
implemented on browser side, but that already implemented and works fine
out of the box.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50441#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list