Issues with strict MIME type checking enabled
-
When the header “X-Content-Type-Options: nosniff” is supplied, the remote JS login functionality fails because the response from the load action is transferred as text/html.
The response should be transferred as “application/javascript” by setting the proper headers prior to output.Here’s the diff:
diff --git a/wordpress-mu-domain-mapping/domain_mapping.php b/wordpress-mu-domain-mapping/domain_mapping.php index 2241b15..6fa06c9 100644 --- a/wordpress-mu-domain-mapping/domain_mapping.php +++ b/wordpress-mu-domain-mapping/domain_mapping.php @@ -736,6 +736,7 @@ function remote_login_js() { $key = md5( time() . mt_rand() ); $wpdb->query( $wpdb->prepare( "INSERT INTO {$wpdb->dmtablelogins} ( <code>id</code>, <code>user_id</code>, <code>blog_id</code>, <code>t</code> ) VALUES( %s, %d, %d, NOW() )", $key, $current_user->ID, $_GET[ 'blogid' ] ) ); $url = add_query_arg( array( 'action' => 'login', 'dm' => $hash, 'k' => $key, 't' => mt_rand() ), $_GET[ 'back' ] ); + header('Content-Type: application/javascript'); echo "window.location = '$url'"; exit; } elseif ( $_GET[ 'action' ] == 'login' ) {
Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
- The topic ‘Issues with strict MIME type checking enabled’ is closed to new replies.