-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ajax endpoints serving json as text/html, not application/json. #26
Comments
netcarver
changed the title
Ajax endpoints serving json as text/html when accessed from non XHR requests.
Ajax endpoints serving json as text/html, not application/json.
Apr 12, 2024
It seems that even XHR calls serve the json as html... curl -i -X GET 'https://....ddev.site/ajax/foo'
HTTP/2 200
cache-control: no-store, no-cache, must-revalidate
content-type: text/html; charset=utf-8
...
...
...
x-xss-protection: 1; mode=block
[
"<h1>baz<\/h1>"
] |
BernhardBaumrock
added a commit
that referenced
this issue
Apr 13, 2024
Hey @netcarver thank you very much for bringing that to my attention! I've just pushed an update that makes that debugging tool a whole lot better! It now supports LiveReload and you can instantly send GET and POST requests from there: |
Fantastic, thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you make a non-ajax call to an ajax endpoint as a guest user (so the helpful debug view is off) then the json that is returned has the Content-Type header set to text/html - which is incorrect as it's a json string.
However, if these are ajax endpoints, and the superuser debug display doesn't kick in, then would it be better to reply with a 403 or 404 status code? Anyway, the correct content type should be used here regardless of this decision, which devs may want some control over.
If the json has embedded html strings, then there can be issues. For example: create a file in ajax/foo.php and put the following in it:
Make sure you are logged out (or use an incognito tab) and visit your site's ajax/foo endpoint in a browser.
The text was updated successfully, but these errors were encountered: