riverside / http-headers Goto Github PK
View Code? Open in Web Editor NEW:lock: HTTP Headers for Wordpress
Home Page: https://wordpress.org/plugins/http-headers/
License: GNU General Public License v2.0
:lock: HTTP Headers for Wordpress
Home Page: https://wordpress.org/plugins/http-headers/
License: GNU General Public License v2.0
The Report-To
header returned by the plugin is not correctly formed.
A sample header as returned looks like the following (pretty for readability):
{
"url": "https://example.com/reports",
"group": "default",
"max-age": 86400
}
According to Section 3.1 of the specification the JSON object should have:
group
(string
) memberinclude_subdomains
(boolean
) membermax_age
(number
; positive integer) memberendpoints
(array
) memberThe url
member being returned is not expected at the top-level of the JSON object, but instead should be included as a required member of each array element in the endpoints
member. Each array element may also include optional priority
and weight
members, but this is not supported yet by the plugin.
Taking the earlier returned response the correct format would be (pretty for readability):
{
"group": "default",
"max_age": 86400,
"endpoints": [
{
"url": "https://example.com/reports"
}
]
}
The UI for configuring this header probably needs to be reworked a bit as it has the following related issues:
group
contains one or more endpoints
(as array elements). If multiple entries are provided with the same group, they should be added as separate array elements to the endpoints
member of the same underlying group
.include_subdomains
field is specific to a group
and not a url
. If two URLs are configured with the same group but different values for include_subdomains
, this cannot be represented according to the specification.max_age
, which is specific to a group
and not a url
.Hello,
I tried your plugin and it seems as it doesn't support altering requests that are sent to a WordPress blog's rss feed.
The usual url is https://some-blog.com/feed. Here is my example feed -> https://quickcoder.org/feed
Although I activated the "Access-Control-Allow-Origin" header, it doesn't work for the feed page. I still get a CORS error when using a custom app to access the content. Other pages on my blog work fine though with this app.
If you need further information, I'd be happy to supply those. Thanks!
Hey!
Thanks a lot for this plugin!
There is a new experimental option credentialless
for header Cross-Origin-Embedder-Policy.
Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
Is it possible to add? I can create a PR by myself if it's needed.
thanks in advance
Great work on a fantastic plugin! Makes managing the ever-increasing number of important HTTP headers much easier.
One header the plugin doesn't currently support is the NEL
(Network Error Logging) header. This header works in conjunction with the Report-To
header to enable browsers to report network events such as failed requests. It's a relatively simple header, and given your existing support for Report-To
I expect would be relatively simple to implement. What are your thoughts?
Some background information:
Hello!
We've been alerted of a vulnerability involving SQL injection on the plugin regarding version 1.18.9
A few users have reported this on the Plugin support:
https://wordpress.org/support/topic/vulnerability-65/
https://wordpress.org/support/topic/http-headers-1-18-9-authenticatedadministrator-sql-injection/
Thanks for your attention!
might be helpful to users to link the header names to the appropriate MDN doc
Hi
Thanks a lot for your WordPress HTTP Headers plugin.
Can you please give us a basic setting for the CSP implentation ?
if I follow the recomendations from https://infosec.mozilla.org/guidelines/web_security#content-security-policy I block many things on a basic WP site.
for instance the /wp-admin/plugin-install.php page doesn't display the extension image anymore.
Since your plugin is for WP can you please give this basic settings for the Content Security Policy please?
thanks
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.