Visitor privacy implications of REST API?

  • I noticed today that the newest versions of WordPress core have added a new item to the page header:

    <link rel='https://api.w.org/' href='[site]/wp-json/' />

    … which I understand is for the new REST API. I am not a programmer or developer, so I have only a very remote idea of what the API is supposed to do.

    However, I have a very important question: Does this API have any privacy implications for my visitors? Is visitor information being transmitted to some external server each time a page with this header loads? If so, to where?

    With embedded content — such as the Google Fonts that WordPress keeps insisting on using — whatever server is actually serving the content typically records each viewer’s IP address, browser type, etc. If that’s happening here, I need to know so that I can correctly reflect that in my privacy policies.

    Can someone provide a non-programmer answer to this? Thanks!

Viewing 1 replies (of 1 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    However, I have a very important question: Does this API have any privacy implications for my visitors?

    Non-programmer answer is that it’s fine and there’s no privacy issue or data leakage for your users. Nothing is being transmitted to anyone. That <link rel= is for describing the page, and doesn’t send any data anywhere.

    Longer answer:

    The /wp-json/ part in the HTML only describes and provides an alternate way to process what’s already presented.

    For example look at this post.

    WordPress 4.4 “Clifford”

    If you look at the HTML source code you’ll find this.

    <link rel='https://api.w.org/' href='https://www.ads-software.com/news/wp-json/' />

    And my favorite part is these 2 lines.

    <link rel="alternate" type="application/json+oembed" href="https://www.ads-software.com/news/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.ads-software.com%2Fnews%2F2015%2F12%2Fclifford%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://www.ads-software.com/news/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.ads-software.com%2Fnews%2F2015%2F12%2Fclifford%2F&format=xml" />

    The first one is a link tag which just at a high level defines a relationship (see the rel= part?) with https://api.w.org/ which doesn’t really do anything. That web page is a place holder right now. Even if it gets populated with data your WordPress installation won’t send anything. That’s not what the rel= is for.

    https://www.w3schools.com/tags/tag_link.asp

    The next ones are what tell other sites that you can oEmbed the post. That contains information to make it work.

    If you look at this XML link, it’s almost human readable.

    This was a new WordPress 4.4 feature.

    New Embeds Feature in WordPress 4.4

    That post I mentioned? The oEmbed portion puts this is a neat iframe.

    WordPress 4.4 “Clifford”

    That link above will show you what it looks like without the frame. It looks better in a rectangular box. The embeded portion is not the full article just a snippet of the post content.

    You can disable the new oEmbed code with this small plugin.

    https://www.ads-software.com/plugins/disable-embeds/

    I hope that explains it to you. ??

Viewing 1 replies (of 1 total)
  • The topic ‘Visitor privacy implications of REST API?’ is closed to new replies.