New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wpcom.js: Remove problematic "whitelist" langauge #43395 #43641
wpcom.js: Remove problematic "whitelist" langauge #43395 #43641
Conversation
This PR does not affect the size of JS and CSS bundles shipped to the user's browser. Generated by performance advisor bot at iscalypsofastyet.com. |
Linting errors are pre-existing and out of scope for this PR. |
packages/wpcom.js/Makefile
Outdated
@@ -13,7 +13,7 @@ SOURCE_FILES = $(shell find $(ROOT) -name "*.js") | |||
COMPILED_FILES = $(addprefix $(BUILDDIR)/, $(SOURCE_FILES)) | |||
|
|||
JS_FILES := $(SOURCE_FILES) $(wildcard test/*.js) | |||
JS_TESTING_FILES := $(wildcard test/test*.js test-whitelist/test*.js) | |||
JS_TESTING_FILES := $(wildcard test/test*.js test-allow-deny-lists/test*.js) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test-whitelist
name was not very self-explaining, and unfortunately this rename further obfuscates it.
Some sensitive API endpoints (e.g., /me/settings
) can be called only from certain allowed domains which are controlled by a8c: wordpress.com, a8c.com, widgets.wp.com... The REST proxy frame and the server handlers check the Origin
header and deny the request if doesn't come from a trusted one.
Not every random site can load the REST proxy iframe and send any kind of request, even authenticated. E.g., anyone can list posts on a public site, Jetpack sites (not controlled by a8c) can send a limited subset, Atomic and Simple sites are further limited, and only handful of origins have full access.
The tests in test-whitelist
test these limited APIs and therefore need to be run from an allowed origin.
Good name would be test-need-complete-access-origin
or something like that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, thank you! I was struggling to figure out an appropriate alternative. I'll make the updates 😊
2377cea
to
ba99f40
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Changes proposed in this Pull Request
wpcom.js/test-whitelist
to wpcom.js/test-allow-deny-lists`Testing instructions
Addresses part of #43395