[wp-hackers] Is disabling remote client access a good idea?
Alan J Castonguay
alan at verselogic.net
Mon Jul 7 18:14:38 GMT 2008
Don't want to re-open the debate about whether APP should be disabled
by default. But if the APP /is/ disabled per enable_xmlrpc, we should
fix the warning/error message.
$allow passed to not_allowed() to generate Status 405 "Method Not
Allowed" is expected to be an array, and joined into a comma-
separated list of allowed values. If we're going to use not_allowed()
to output this warning in the Allow: header, the content should be a
single-element array rather than a string.
However, it may be better to use HTTP Status 403 instead, since
Status 405 "MUST include an Allow header containing a list of valid
methods for the requested resource", not an arbitrary user-oriented
string. With Status 403, WordPress "SHOULD describe the reason for
the refusal in the entity" body, not through the Accept: header.
More information about the wp-hackers