WordPress.org

Making WordPress.org

Opened 2 years ago

Closed 6 months ago

#1756 closed defect (fixed)

Inconsistent and missing CORS headers on plugin/theme API

Reported by: DavidAnderson Owned by: obenland
Milestone: Priority: normal
Component: API Keywords:
Cc:

Description

The wordpress.org plugins/themes API is setting CORS headers on
responses to some calls, but not others... in such a way that even
exactly the same request, by a different route, will get different
results. (I'm writing a JavaScript/browser application that interacts
with the API, and hence needs the headers).

e.g. do a GET for
https://api.wordpress.org/plugins/info/1.1/?action=plugin_information&request%5Bslug%5D=akismet

Result: a CORS header:

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 07 Jun 2016 11:55:43 GMT
Content-Type: application/json; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
X-Frame-Options: SAMEORIGIN

but, do a GET for
https://api.wordpress.org/plugins/info/1.0/akismet.json instead, which
requests the same data in the same format, and you get these headers,
resulting in a XMLHttpRequest failure:

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 07 Jun 2016 11:59:10 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN

Interestingly the Content-Type header varies also.

Change History (5)

#1 follow-up: @obenland
6 months ago

@dd32 is the missing Access-Control-Allow-Origin: * an oversight or on purpose, based on the different versions?

#2 in reply to: ↑ 1 @dd32
6 months ago

Replying to obenland:

@dd32 is the missing Access-Control-Allow-Origin: * an oversight or on purpose, based on the different versions?

No reason, they were just built at different times for different purposes. All WordPress.org API's are written primarily for the use-case at hand, they're intentionally not designed to cater to all audiences as they're not general-purpose APIs.

I don't see any harm in adding the extra CORS headers to the 1.0/*.json api.

#3 @obenland
6 months ago

  • Owner set to obenland
  • Status changed from new to accepted

#4 @obenland
6 months ago

Fixed in [dotorg13793].

#5 @obenland
6 months ago

  • Resolution set to fixed
  • Status changed from accepted to closed
Note: See TracTickets for help on using tickets.