Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Third-party AJAX requests not detected #1327

Closed
herrvigg opened this issue Apr 17, 2023 · 1 comment
Closed

Third-party AJAX requests not detected #1327

herrvigg opened this issue Apr 17, 2023 · 1 comment
Labels
bug Something isn't working, reproducible core Core functionalities, including the admin section severity: major Major functionality

Comments

@herrvigg
Copy link
Collaborator

Checking wp_doing_ajax() is only a partial check that is valid for WordPress Ajax requests, but not for all the other plugins.

This HTTP variable should be checked: HTTP_X_REQUESTED_WITH: XMLHttpRequest. See also RFC6648: Deprecating the "X-" Prefix.

Much likely this had no big impact for the redirects because qtranxf_can_redirect cancels requests containing a non-empty $_POST that is generally set with Ajax requests, but this may impact other parts.
@herrvigg herrvigg added bug Something isn't working, reproducible severity: major Major functionality labels Apr 17, 2023
@herrvigg herrvigg mentioned this issue Apr 17, 2023
Closed
@herrvigg herrvigg added the core Core functionalities, including the admin section label Apr 19, 2023
herrvigg added a commit that referenced this issue Apr 19, 2023
@herrvigg
Fix third-party Ajax requests not detected (#1327)
7debfc7 
Improve Ajax detection to other sources than WP by checking the HTTP
vars HTTP_X_REQUESTED_WITH / HTTP_REQUESTED_WITH = XMLHttpRequest.

Use this extended detection of Ajax for:
- blocking `qtranxf_can_redirect` (URL/language redirect)
- not sending back HTTP cookies
- special admin handling of HTTP referrer (only used for admin terms).
@herrvigg
Copy link
Collaborator Author

Fix released in 3.14.2.

Use this extended detection of Ajax for:

  • blocking qtranxf_can_redirect (URL/language redirect)
  • not sending back HTTP cookies
  • special admin handling of HTTP referrer (only used for admin terms).

herrvigg added a commit that referenced this issue Apr 19, 2023
@herrvigg
Fix wrong Ajax check (#1327)
7f21e7c
herrvigg added a commit that referenced this issue Apr 19, 2023
@herrvigg
Fix third-party Ajax requests not detected (#1327)
f4993fe 
Improve Ajax detection to other sources than WP by checking the HTTP
vars HTTP_X_REQUESTED_WITH / HTTP_REQUESTED_WITH = XMLHttpRequest.

Use this extended detection of Ajax for:
- blocking `qtranxf_can_redirect` (URL/language redirect)
- not sending back HTTP cookies
- special admin handling of HTTP referrer (only used for admin terms).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working, reproducible core Core functionalities, including the admin section severity: major Major functionality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@herrvigg