api->server->send_status( 400 ); $data = array( array( 'code' => 'woocommerce_api_jsonp_disabled', 'message' => __( 'JSONP support is disabled on this site', 'woocommerce' ) ) ); } // Check for invalid characters (only alphanumeric allowed) if ( preg_match( '/\W/', $_GET['_jsonp'] ) ) { WC()->api->server->send_status( 400 ); $data = array( array( 'code' => 'woocommerce_api_jsonp_callback_invalid', __( 'The JSONP callback function is invalid', 'woocommerce' ) ) ); } // see http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ WC()->api->server->header( 'X-Content-Type-Options', 'nosniff' ); // Prepend '/**/' to mitigate possible JSONP Flash attacks return '/**/' . $_GET['_jsonp'] . '(' . json_encode( $data ) . ')'; } return json_encode( $data ); } }