[wp-trac] [WordPress Trac] #50441: Allow CORS for RSS feed

WordPress Trac noreply at wordpress.org
Sun Jun 21 08:01:36 UTC 2020 

#50441: Allow CORS for RSS feed
----------------------------------+------------------------------
 Reporter:  stokito               |       Owner:  (none)
     Type:  enhancement           |      Status:  new
 Priority:  normal                |   Milestone:  Awaiting Review
Component:  Feeds                 |     Version:
 Severity:  normal                |  Resolution:
 Keywords:  needs-privacy-review  |     Focuses:  javascript
----------------------------------+------------------------------

Comment (by ayeshrajans):

 Thanks for your reply. Because RSS is meant to me consumed by any software
 (in contrast to a private API that is consumed only by the app itself), I
 think it should be semantically secure to emit the CORS headers.

 I created Fast404 (https://wordpress.org/plugins/fast404/) to immediately
 return a simple 404 message if the browser is expecting a static resource
 such as an image or a CSS file. I think this should be a separate
 discussion whether WordPress should care about the Accept header, because
 the routing and URL routing we have now is based on the URI only, and not
 the Accept headers. I created the plugin because I was annoyed at some
 random JPG 404 URLs triggered a full HTML page, but I don't know how it
 will be useful with other situations.

 The other concern would be private content. If an RSS feed contains
 private content that is determined by a cookie (session cookies for
 example), a CORS-less feed would prevent the content from being read by a
 different site. Third party readers wouldn't send the cookies anyway, so
 it's safe.
 If the feed emits CORS headers, this means the feed reader app can now
 read the same content the authenticated users get. This is of course very
 far fetched, but technically speaking, unless the user session cookie is
 SameSite=Strict, there is a non-zero chance of CORS headers enabling third
 party sites to read unauthorized content. A self-plug to a plugin that
 adds SameSite header to authentication cookies:
 https://wordpress.org/plugins/samesite/

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50441#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list