[wp-trac] [WordPress Trac] #59631: Despite using Update URI Plugin header, WP still tries to fetch the Update notes from WP org
WordPress Trac
noreply at wordpress.org
Fri Oct 11 12:55:06 UTC 2024
#59631: Despite using Update URI Plugin header, WP still tries to fetch the Update
notes from WP org
--------------------------+------------------------------
Reporter: bedas | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Plugins | Version: 5.8
Severity: normal | Resolution:
Keywords: 2nd-opinion | Focuses: administration
--------------------------+------------------------------
Comment (by webdados):
IMHO, setting the "Update URI" (to false for example), should deactivate
any update or information request to the wordpress.org API.
On the wp_update_plugins routine, all the installed plugins are queried on
wordpress.org, even if they're not part of the repo, and have specifically
set Update URI as false (as mentioned here
https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-
header-in-wordpress-5-8/).
I suggest we make the "false" value on "Update URI" a clear instruction
from the developer that the plugin does not belong to the repo and it
should not be included in any API call whatsoever.
As we stand now, we might be creating serious confidentiality issues and
even breaking the GDPR laws. If someone develops a private plugin for a
company, there's not reason why .org should receive it's headers which may
include information about the developer and the company that should not be
shared by 3rd parties (in which case WordPress.org is the 3rd party).
--
Ticket URL: <https://core.trac.wordpress.org/ticket/59631#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list