Ajax endpoints serving json as text/html, not application/json. #26
Comments
netcarver
changed the title
|
It seems that even XHR calls serve the json as html... curl -i -X GET 'https://....ddev.site/ajax/foo'
HTTP/2 200
cache-control: no-store, no-cache, must-revalidate
content-type: text/html; charset=utf-8
...
...
...
x-xss-protection: 1; mode=block
[
"<h1>baz<\/h1>"
] |
BernhardBaumrock
added a commit
that referenced
this issue
Apr 13, 2024
|
Hey @netcarver thank you very much for bringing that to my attention! I've just pushed an update that makes that debugging tool a whole lot better! It now supports LiveReload and you can instantly send GET and POST requests from there: |
|
Fantastic, thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you make a non-ajax call to an ajax endpoint as a guest user (so the helpful debug view is off) then the json that is returned has the Content-Type header set to text/html - which is incorrect as it's a json string.
However, if these are ajax endpoints, and the superuser debug display doesn't kick in, then would it be better to reply with a 403 or 404 status code? Anyway, the correct content type should be used here regardless of this decision, which devs may want some control over.
If the json has embedded html strings, then there can be issues. For example: create a file in ajax/foo.php and put the following in it:
Make sure you are logged out (or use an incognito tab) and visit your site's ajax/foo endpoint in a browser.
The text was updated successfully, but these errors were encountered: