Skip to content

fix: Editor assets endpoint enforces absolute URLs #45319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 30, 2025
Merged

fix: Editor assets endpoint enforces absolute URLs #45319

merged 3 commits into from
Sep 30, 2025

Conversation

dcalhoun
Copy link
Member

@dcalhoun dcalhoun commented Sep 26, 2025
edited
Loading

Proposed changes:

Enforce absolute URLs for the editor assets endpoint to avoid failed asset requests originating from the fact that clients send requests for their own origin. Relative URLs inherently fail as the client origin does not match the site origin, and the asset is unavailable on the client origin.

relative-asset-url-failure

Other information:

  • Have you written new tests for your changes, if applicable?
  • Have you checked the E2E test CI results, and verified that your changes do not break them?
  • Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

N/A

Does this pull request change what data or activity we track or use?

No

Testing instructions:

  1. Apply these Jetpack changes to your site (see comment).
  2. Proxy your requests to your sandbox server.
  3. Make a request to the /wpcom/v2/sites/<site_id>/editor-assets endpoint for the WPCOM site—via API Console, curl, etc.
  4. Verify the 200 response does not include relative paths—e.g., /wp-includes/js/dist/vendor/lodash.min.js—but instead uses absolute URLs for these assets.

@dcalhoun
fix: Editor assets endpoint enforces absolute URLs
496c537 
Relative URLs inherently fail in local client editors that are served
from origins other than the site origin. Using absolute URLs ensures the
asset source is correct.
@dcalhoun
test: Assert editor asset endpoint enforces absolute URLs
752f11a
@dcalhoun
changelog
e73b0a1
@dcalhoun dcalhoun added [Type] Enhancement Changes to an existing feature — removing, adding, or changing parts of it [Status] In Progress [Feature] WP REST API [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ labels Sep 26, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 26, 2025
edited
Loading

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

  • To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack), and enable the fix/editor-assets-endpoint-enforces-absolute-urls branch.
  • To test on Simple, run the following command on your sandbox:
bin/jetpack-downloader test jetpack fix/editor-assets-endpoint-enforces-absolute-urls

Interested in more tips and information?

  • In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
  • Read more about our development workflow here: PCYsg-eg0-p2
  • Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

@github-actions GitHub Actions
Copy link
Contributor

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

  • ✅ Include a description of your PR changes.
  • ✅ Add a "[Status]" label (In Progress, Needs Review, ...).
  • ✅ Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  • ✅ Add testing instructions.
  • ✅ Specify whether this PR includes any changes to data or privacy.
  • ✅ Add changelog entries to affected projects

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

Follow this PR Review Process:

  1. Ensure all required checks appearing at the bottom of this PR are passing.
  2. Make sure to test your changes on all platforms that it applies to. You're responsible for the quality of the code you ship.
  3. You can use GitHub's Reviewers functionality to request a review.
  4. When it's reviewed and merged, you will be pinged in Slack to deploy the changes to WordPress.com simple once the build is done.

If you have questions about anything, reach out in #jetpack-developers for guidance!

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

  • WordPress.com Simple releases happen as soon as you deploy your changes after merging this PR (PCYsg-Jjm-p2).
  • WoA releases happen weekly.
  • Releases to self-hosted sites happen monthly:
    • Scheduled release: October 7, 2025
    • Code freeze: October 6, 2025

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

@jp-launch-control JP Launch Control
Copy link

Code Coverage Summary

Coverage changed in 1 file.

File Coverage Δ% Δ Uncovered
projects/plugins/jetpack/_inc/lib/core-api/wpcom-endpoints/class-wpcom-rest-api-v2-endpoint-block-editor-assets.php 148/156 (94.87%) 0.24% 0 💚

Full summary · PHP report · JS report

@dcalhoun dcalhoun marked this pull request as ready for review September 26, 2025 18:39
@dcalhoun dcalhoun requested a review from kean September 26, 2025 18:39
@dcalhoun dcalhoun added [Status] Needs Review This PR is ready for review. and removed [Status] In Progress labels Sep 26, 2025
kean
kean approved these changes Sep 29, 2025
View reviewed changes
Copy link

@kean kean left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reviewed the code – the changes look good, with minor nit. I didn't test it.

@dcalhoun dcalhoun merged commit e2e1afb into trunk Sep 30, 2025
80 checks passed
@dcalhoun dcalhoun deleted the fix/editor-assets-endpoint-enforces-absolute-urls branch September 30, 2025 13:24
@github-actions github-actions bot removed the [Status] Needs Review This PR is ready for review. label Sep 30, 2025
@github-actions github-actions bot added this to the jetpack/15.1 milestone Sep 30, 2025
@dcalhoun dcalhoun mentioned this pull request Oct 2, 2025
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dilirity dilirity dilirity left review comments

@kean kean kean approved these changes

Assignees
No one assigned
Labels
[Feature] WP REST API [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ [Tests] Includes Tests [Type] Enhancement Changes to an existing feature — removing, adding, or changing parts of it
Projects
None yet
Milestone
jetpack/15.1
Development

Successfully merging this pull request may close these issues.
3 participants
@dcalhoun @kean @dilirity