Changeset 62081

Timestamp:

03/20/2026 05:09:14 PM (8 days ago)

Author:

adamsilverstein

Message:

Media: Remove client-side media processing feature for now.

Punt the wasm-vips client-side media processing feature to a future release when it can include more features. The VIPS WASM worker adds too much build size overhead for the current value provided. Removes all PHP functions, REST API endpoints, cross-origin isolation infrastructure, VIPS script module handling, build configuration, and associated tests.

Props adamsilverstein, jorbin.
Fixes #64906.

Location:

trunk

Files:

• Gruntfile.js (modified) (1 diff)
• src/wp-includes/default-filters.php (modified) (1 diff)
• src/wp-includes/media-template.php (modified) (2 diffs)
• src/wp-includes/media.php (modified) (1 diff)
• src/wp-includes/rest-api/class-wp-rest-server.php (modified) (1 diff)
• src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php (modified) (11 diffs)
• src/wp-includes/script-modules.php (modified) (1 diff)
• tests/phpunit/tests/media/wpCrossOriginIsolation.php (modified) (1 diff)
• tests/phpunit/tests/media/wpGetChromiumMajorVersion.php (modified) (1 diff)
• tests/phpunit/tests/rest-api/rest-attachments-controller.php (modified) (3 diffs)
• tests/phpunit/tests/rest-api/rest-schema-setup.php (modified) (2 diffs)
• tests/phpunit/tests/script-modules/wpScriptModules.php (modified) (2 diffs)
• tests/qunit/fixtures/wp-api-generated.js (modified) (3 diffs)
• tools/gutenberg/copy.js (modified) (2 diffs)

trunk/Gruntfile.js

@@ -660 +660 @@
                         '**/*',
                         '!**/*.map',
-                        // Skip non-minified VIPS files — they are ~16MB of inlined WASM
-                        // with no debugging value over the minified versions.
-                        '!vips/!(*.min).js',
+                        '!vips/**',
                     ],
                     dest: WORKING_DIR + 'wp-includes/js/dist/script-modules/',

trunk/src/wp-includes/default-filters.php

@@ -679 +679 @@
 add_filter( 'plupload_default_settings', 'wp_show_heic_upload_error' );
 
-// Client-side media processing.
-add_action( 'admin_init', 'wp_set_client_side_media_processing_flag' );
-// Cross-origin isolation for client-side media processing.
-add_action( 'load-post.php', 'wp_set_up_cross_origin_isolation' );
-add_action( 'load-post-new.php', 'wp_set_up_cross_origin_isolation' );
-add_action( 'load-site-editor.php', 'wp_set_up_cross_origin_isolation' );
-add_action( 'load-widgets.php', 'wp_set_up_cross_origin_isolation' );
 // Nav menu.
 add_filter( 'nav_menu_item_id', '_nav_menu_item_id_use_once', 10, 2 );

trunk/src/wp-includes/media-template.php

@@ -157 +157 @@
     $class = 'media-modal wp-core-ui';
 
-    $is_cross_origin_isolation_enabled = wp_is_client_side_media_processing_enabled();
-
-    if ( $is_cross_origin_isolation_enabled ) {
-        ob_start();
-    }
-
     $alt_text_description = sprintf(
         /* translators: 1: Link to tutorial, 2: Additional link attributes, 3: Accessibility text. */
@@ -1589 +1583 @@
      */
     do_action( 'print_media_templates' );
-
-    if ( $is_cross_origin_isolation_enabled ) {
-        $html = (string) ob_get_clean();
-
-        /*
-         * The media templates are inside <script type="text/html"> tags,
-         * whose content is treated as raw text by the HTML Tag Processor.
-         * Extract each script block's content, process it separately,
-         * then reassemble the full output.
-         */
-        $script_processor = new WP_HTML_Tag_Processor( $html );
-        while ( $script_processor->next_tag( 'SCRIPT' ) ) {
-            if ( 'text/html' !== $script_processor->get_attribute( 'type' ) ) {
-                continue;
-            }
-            /*
-             * Unlike wp_add_crossorigin_attributes(), this does not check whether
-             * URLs are actually cross-origin. Media templates use Underscore.js
-             * template expressions (e.g. {{ data.url }}) as placeholder URLs,
-             * so actual URLs are not available at parse time.
-             * The crossorigin attribute is added unconditionally to all relevant
-             * media tags to ensure cross-origin isolation works regardless of
-             * the final URL value at render time.
-             */
-            $template_processor = new WP_HTML_Tag_Processor( $script_processor->get_modifiable_text() );
-            while ( $template_processor->next_tag() ) {
-                if (
-                    in_array( $template_processor->get_tag(), array( 'AUDIO', 'IMG', 'VIDEO' ), true )
-                    && ! is_string( $template_processor->get_attribute( 'crossorigin' ) )
-                ) {
-                    $template_processor->set_attribute( 'crossorigin', 'anonymous' );
-                }
-            }
-            $script_processor->set_modifiable_text( $template_processor->get_updated_html() );
-        }
-
-        echo $script_processor->get_updated_html();
-    }
 }

trunk/src/wp-includes/media.php

@@ -6401 +6401 @@
 }
 
-/**
- * Checks whether client-side media processing is enabled.
- *
- * Client-side media processing uses the browser's capabilities to handle
- * tasks like image resizing and compression before uploading to the server.
- *
- * @since 7.0.0
- *
- * @return bool Whether client-side media processing is enabled.
- */
-function wp_is_client_side_media_processing_enabled(): bool {
-    // This is due to SharedArrayBuffer requiring a secure context.
-    $host    = strtolower( (string) strtok( $_SERVER['HTTP_HOST'] ?? '', ':' ) );
-    $enabled = ( is_ssl() || 'localhost' === $host || str_ends_with( $host, '.localhost' ) );
-
-    /**
-     * Filters whether client-side media processing is enabled.
-     *
-     * @since 7.0.0
-     *
-     * @param bool $enabled Whether client-side media processing is enabled. Default true if the page is served in a secure context.
-     */
-    return (bool) apply_filters( 'wp_client_side_media_processing_enabled', $enabled );
-}
-
-/**
- * Sets a global JS variable to indicate that client-side media processing is enabled.
- *
- * @since 7.0.0
- */
-function wp_set_client_side_media_processing_flag(): void {
-    if ( ! wp_is_client_side_media_processing_enabled() ) {
-        return;
-    }
-
-    wp_add_inline_script( 'wp-block-editor', 'window.__clientSideMediaProcessing = true;', 'before' );
-
-    $chromium_version = wp_get_chromium_major_version();
-
-    if ( null !== $chromium_version && $chromium_version >= 137 ) {
-        wp_add_inline_script( 'wp-block-editor', 'window.__documentIsolationPolicy = true;', 'before' );
-    }
-
-    /*
-     * Register the @wordpress/vips/worker script module as a dynamic dependency
-     * of the wp-upload-media classic script. This ensures it is included in the
-     * import map so that the dynamic import() in upload-media.js can resolve it.
-     */
-    wp_scripts()->add_data(
-        'wp-upload-media',
-        'module_dependencies',
-        array( '@wordpress/vips/worker' )
-    );
-}
-
-/**
- * Returns the major Chrome/Chromium version from the current request's User-Agent.
- *
- * Matches all Chromium-based browsers (Chrome, Edge, Opera, Brave).
- *
- * @since 7.0.0
- *
- * @return int|null The major Chrome version, or null if not a Chromium browser.
- */
-function wp_get_chromium_major_version(): ?int {
-    if ( empty( $_SERVER['HTTP_USER_AGENT'] ) ) {
-        return null;
-    }
-    if ( preg_match( '#Chrome/(\d+)#', $_SERVER['HTTP_USER_AGENT'], $matches ) ) {
-        return (int) $matches[1];
-    }
-    return null;
-}
-
-/**
- * Enables cross-origin isolation in the block editor.
- *
- * Required for enabling SharedArrayBuffer for WebAssembly-based
- * media processing in the editor. Uses Document-Isolation-Policy
- * on supported browsers (Chromium 137+).
- *
- * Skips setup when a third-party page builder overrides the block
- * editor via a custom `action` query parameter, as DIP would block
- * same-origin iframe access that these editors rely on.
- *
- * @since 7.0.0
- */
-function wp_set_up_cross_origin_isolation(): void {
-    if ( ! wp_is_client_side_media_processing_enabled() ) {
-        return;
-    }
-
-    $screen = get_current_screen();
-
-    if ( ! $screen ) {
-        return;
-    }
-
-    if ( ! $screen->is_block_editor() && 'site-editor' !== $screen->id && ! ( 'widgets' === $screen->id && wp_use_widgets_block_editor() ) ) {
-        return;
-    }
-
-    /*
-     * Skip when a third-party page builder overrides the block editor.
-     * DIP isolates the document into its own agent cluster,
-     * which blocks same-origin iframe access that these editors rely on.
-     */
-    if ( isset( $_GET['action'] ) && 'edit' !== $_GET['action'] ) {
-        return;
-    }
-
-    // Cross-origin isolation is not needed if users can't upload files anyway.
-    if ( ! current_user_can( 'upload_files' ) ) {
-        return;
-    }
-
-    wp_start_cross_origin_isolation_output_buffer();
-}
-
-/**
- * Sends the Document-Isolation-Policy header for cross-origin isolation.
- *
- * Uses an output buffer to add crossorigin="anonymous" where needed.
- *
- * @since 7.0.0
- */
-function wp_start_cross_origin_isolation_output_buffer(): void {
-    $chromium_version = wp_get_chromium_major_version();
-
-    if ( null === $chromium_version || $chromium_version < 137 ) {
-        return;
-    }
-
-    ob_start(
-        static function ( string $output ): string {
-            header( 'Document-Isolation-Policy: isolate-and-credentialless' );
-
-            return wp_add_crossorigin_attributes( $output );
-        }
-    );
-}
-
-/**
- * Adds crossorigin="anonymous" to relevant tags in the given HTML string.
- *
- * @since 7.0.0
- *
- * @param string $html HTML input.
- * @return string Modified HTML.
- */
-function wp_add_crossorigin_attributes( string $html ): string {
-    $site_url = site_url();
-
-    $processor = new WP_HTML_Tag_Processor( $html );
-
-    // See https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/crossorigin.
-    $cross_origin_tag_attributes = array(
-        'AUDIO'  => array( 'src' => false ),
-        'LINK'   => array( 'href' => false ),
-        'SCRIPT' => array( 'src' => false ),
-        'VIDEO'  => array(
-            'src'    => false,
-            'poster' => false,
-        ),
-        'SOURCE' => array( 'src' => false ),
-    );
-
-    while ( $processor->next_tag() ) {
-        $tag = $processor->get_tag();
-
-        if ( ! isset( $cross_origin_tag_attributes[ $tag ] ) ) {
-            continue;
-        }
-
-        if ( 'AUDIO' === $tag || 'VIDEO' === $tag ) {
-            $processor->set_bookmark( 'audio-video-parent' );
-        }
-
-        $processor->set_bookmark( 'resume' );
-
-        $sought = false;
-
-        $crossorigin = $processor->get_attribute( 'crossorigin' );
-
-        $is_cross_origin = false;
-
-        foreach ( $cross_origin_tag_attributes[ $tag ] as $attr => $is_srcset ) {
-            if ( $is_srcset ) {
-                $srcset = $processor->get_attribute( $attr );
-                if ( is_string( $srcset ) ) {
-                    foreach ( explode( ',', $srcset ) as $candidate ) {
-                        $candidate_url = strtok( trim( $candidate ), ' ' );
-                        if ( is_string( $candidate_url ) && '' !== $candidate_url && ! str_starts_with( $candidate_url, $site_url ) && ! str_starts_with( $candidate_url, '/' ) ) {
-                            $is_cross_origin = true;
-                            break;
-                        }
-                    }
-                }
-            } else {
-                $url = $processor->get_attribute( $attr );
-                if ( is_string( $url ) && ! str_starts_with( $url, $site_url ) && ! str_starts_with( $url, '/' ) ) {
-                    $is_cross_origin = true;
-                }
-            }
-
-            if ( $is_cross_origin ) {
-                break;
-            }
-        }
-
-        if ( $is_cross_origin && ! is_string( $crossorigin ) ) {
-            if ( 'SOURCE' === $tag ) {
-                $sought = $processor->seek( 'audio-video-parent' );
-
-                if ( $sought ) {
-                    $processor->set_attribute( 'crossorigin', 'anonymous' );
-                }
-            } else {
-                $processor->set_attribute( 'crossorigin', 'anonymous' );
-            }
-
-            if ( $sought ) {
-                $processor->seek( 'resume' );
-                $processor->release_bookmark( 'audio-video-parent' );
-            }
-        }
-    }
-
-    return $processor->get_updated_html();
-}
-

trunk/src/wp-includes/rest-api/class-wp-rest-server.php

@@ -1369 +1369 @@
         );
 
-        // Add media processing settings for users who can upload files.
-        if ( wp_is_client_side_media_processing_enabled() && current_user_can( 'upload_files' ) ) {
-            // Image sizes keyed by name for client-side media processing.
-            $available['image_sizes'] = array();
-            foreach ( wp_get_registered_image_subsizes() as $name => $size ) {
-                $available['image_sizes'][ $name ] = $size;
-            }
-
-            /** This filter is documented in wp-admin/includes/image.php */
-            $available['image_size_threshold'] = (int) apply_filters( 'big_image_size_threshold', 2560, array( 0, 0 ), '', 0 );
-
-            // Image output formats.
-            $input_formats  = array( 'image/jpeg', 'image/png', 'image/gif', 'image/webp', 'image/avif', 'image/heic' );
-            $output_formats = array();
-            foreach ( $input_formats as $mime_type ) {
-                /** This filter is documented in wp-includes/media.php */
-                $output_formats = apply_filters( 'image_editor_output_format', $output_formats, '', $mime_type );
-            }
-            $available['image_output_formats'] = (object) $output_formats;
-
-            /** This filter is documented in wp-includes/class-wp-image-editor-gd.php */
-            $available['jpeg_interlaced'] = (bool) apply_filters( 'image_save_progressive', false, 'image/jpeg' );
-            /** This filter is documented in wp-includes/class-wp-image-editor-gd.php */
-            $available['png_interlaced'] = (bool) apply_filters( 'image_save_progressive', false, 'image/png' );
-            /** This filter is documented in wp-includes/class-wp-image-editor-gd.php */
-            $available['gif_interlaced'] = (bool) apply_filters( 'image_save_progressive', false, 'image/gif' );
-        }
-
         $response = new WP_REST_Response( $available );
 

trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

@@ -64 +64 @@
             )
         );
-
-        if ( wp_is_client_side_media_processing_enabled() ) {
-            $valid_image_sizes = array_keys( wp_get_registered_image_subsizes() );
-            // Special case to set 'original_image' in attachment metadata.
-            $valid_image_sizes[] = 'original';
-            // Used for PDF thumbnails.
-            $valid_image_sizes[] = 'full';
-            // Client-side big image threshold: sideload the scaled version.
-            $valid_image_sizes[] = 'scaled';
-
-            register_rest_route(
-                $this->namespace,
-                '/' . $this->rest_base . '/(?P<id>[\d]+)/sideload',
-                array(
-                    array(
-                        'methods'             => WP_REST_Server::CREATABLE,
-                        'callback'            => array( $this, 'sideload_item' ),
-                        'permission_callback' => array( $this, 'sideload_item_permissions_check' ),
-                        'args'                => array(
-                            'id'             => array(
-                                'description' => __( 'Unique identifier for the attachment.' ),
-                                'type'        => 'integer',
-                            ),
-                            'image_size'     => array(
-                                'description' => __( 'Image size.' ),
-                                'type'        => 'string',
-                                'enum'        => $valid_image_sizes,
-                                'required'    => true,
-                            ),
-                            'convert_format' => array(
-                                'type'        => 'boolean',
-                                'default'     => true,
-                                'description' => __( 'Whether to convert image formats.' ),
-                            ),
-                        ),
-                    ),
-                    'allow_batch' => $this->allow_batch,
-                    'schema'      => array( $this, 'get_public_item_schema' ),
-                )
-            );
-
-            register_rest_route(
-                $this->namespace,
-                '/' . $this->rest_base . '/(?P<id>[\d]+)/finalize',
-                array(
-                    array(
-                        'methods'             => WP_REST_Server::CREATABLE,
-                        'callback'            => array( $this, 'finalize_item' ),
-                        'permission_callback' => array( $this, 'edit_media_item_permissions_check' ),
-                        'args'                => array(
-                            'id' => array(
-                                'description' => __( 'Unique identifier for the attachment.' ),
-                                'type'        => 'integer',
-                            ),
-                        ),
-                    ),
-                    'allow_batch' => $this->allow_batch,
-                    'schema'      => array( $this, 'get_public_item_schema' ),
-                )
-            );
-        }
-    }
-
-    /**
-     * Retrieves the query params for the attachments collection.
-     *
-     * @since 7.0.0
-     *
-     * @param string $method Optional. HTTP method of the request.
-     *                       The arguments for `CREATABLE` requests are
-     *                       checked for required values and may fall-back to a given default.
-     *                       Default WP_REST_Server::CREATABLE.
-     * @return array<string, array<string, mixed>> Endpoint arguments.
-     */
-    public function get_endpoint_args_for_item_schema( $method = WP_REST_Server::CREATABLE ) {
-        $args = parent::get_endpoint_args_for_item_schema( $method );
-
-        if ( WP_REST_Server::CREATABLE === $method && wp_is_client_side_media_processing_enabled() ) {
-            $args['generate_sub_sizes'] = array(
-                'type'        => 'boolean',
-                'default'     => true,
-                'description' => __( 'Whether to generate image sub sizes.' ),
-            );
-            $args['convert_format']     = array(
-                'type'        => 'boolean',
-                'default'     => true,
-                'description' => __( 'Whether to convert image formats.' ),
-            );
-        }
-
-        return $args;
     }
 
@@ -253 +162 @@
         $prevent_unsupported_uploads = apply_filters( 'wp_prevent_unsupported_mime_type_uploads', true, $files['file']['type'] ?? null );
 
-        // When the client handles image processing (generate_sub_sizes is false),
-        // skip the server-side image editor support check.
-        if ( false === $request['generate_sub_sizes'] ) {
-            $prevent_unsupported_uploads = false;
-        }
-
         // If the upload is an image, check if the server can handle the mime type.
         if (
@@ -290 +193 @@
      *
      * @since 4.7.0
-     * @since 7.0.0 Added `generate_sub_sizes` and `convert_format` parameters.
      *
      * @param WP_REST_Request $request Full details about the request.
@@ -304 +206 @@
         }
 
-        // Handle generate_sub_sizes parameter.
-        if ( false === $request['generate_sub_sizes'] ) {
-            add_filter( 'intermediate_image_sizes_advanced', '__return_empty_array', 100 );
-            add_filter( 'fallback_intermediate_image_sizes', '__return_empty_array', 100 );
-            // Disable server-side EXIF rotation so the client can handle it.
-            // This preserves the original orientation value in the metadata.
-            add_filter( 'wp_image_maybe_exif_rotate', '__return_false', 100 );
-        }
-
-        // Handle convert_format parameter.
-        if ( isset( $request['convert_format'] ) && ! $request['convert_format'] ) {
-            add_filter( 'image_editor_output_format', '__return_empty_array', 100 );
-        }
-
         $insert = $this->insert_attachment( $request );
 
         if ( is_wp_error( $insert ) ) {
-            $this->remove_client_side_media_processing_filters();
             return $insert;
         }
@@ -339 +226 @@
 
             if ( is_wp_error( $thumbnail_update ) ) {
-                $this->remove_client_side_media_processing_filters();
                 return $thumbnail_update;
             }
@@ -348 +234 @@
 
             if ( is_wp_error( $meta_update ) ) {
-                $this->remove_client_side_media_processing_filters();
                 return $meta_update;
             }
@@ -357 +242 @@
 
         if ( is_wp_error( $fields_update ) ) {
-            $this->remove_client_side_media_processing_filters();
             return $fields_update;
         }
@@ -364 +248 @@
 
         if ( is_wp_error( $terms_update ) ) {
-            $this->remove_client_side_media_processing_filters();
             return $terms_update;
         }
@@ -401 +284 @@
         wp_update_attachment_metadata( $attachment_id, wp_generate_attachment_metadata( $attachment_id, $file ) );
 
-        $this->remove_client_side_media_processing_filters();
-
         $response = $this->prepare_item_for_response( $attachment, $request );
         $response = rest_ensure_response( $response );
@@ -409 +290 @@
 
         return $response;
-    }
-
-    /**
-     * Removes filters added for client-side media processing.
-     *
-     * @since 7.0.0
-     */
-    private function remove_client_side_media_processing_filters() {
-        remove_filter( 'intermediate_image_sizes_advanced', '__return_empty_array', 100 );
-        remove_filter( 'fallback_intermediate_image_sizes', '__return_empty_array', 100 );
-        remove_filter( 'wp_image_maybe_exif_rotate', '__return_false', 100 );
-        remove_filter( 'image_editor_output_format', '__return_empty_array', 100 );
     }
 
@@ -1988 +1857 @@
         return null;
     }
-
-    /**
-     * Checks if a given request has access to sideload a file.
-     *
-     * Sideloading a file for an existing attachment
-     * requires both update and create permissions.
-     *
-     * @since 7.0.0
-     *
-     * @param WP_REST_Request $request Full details about the request.
-     * @return true|WP_Error True if the request has access to update the item, WP_Error object otherwise.
-     */
-    public function sideload_item_permissions_check( $request ) {
-        return $this->edit_media_item_permissions_check( $request );
-    }
-
-    /**
-     * Side-loads a media file without creating a new attachment.
-     *
-     * @since 7.0.0
-     *
-     * @param WP_REST_Request $request Full details about the request.
-     * @return WP_REST_Response|WP_Error Response object on success, WP_Error object on failure.
-     */
-    public function sideload_item( WP_REST_Request $request ) {
-        $attachment_id = $request['id'];
-
-        $post = $this->get_post( $attachment_id );
-
-        if ( is_wp_error( $post ) ) {
-            return $post;
-        }
-
-        if (
-            ! wp_attachment_is_image( $post ) &&
-            ! wp_attachment_is( 'pdf', $post )
-        ) {
-            return new WP_Error(
-                'rest_post_invalid_id',
-                __( 'Invalid post ID. Only images and PDFs can be sideloaded.' ),
-                array( 'status' => 400 )
-            );
-        }
-
-        if ( isset( $request['convert_format'] ) && ! $request['convert_format'] ) {
-            // Prevent image conversion as that is done client-side.
-            add_filter( 'image_editor_output_format', '__return_empty_array', 100 );
-        }
-
-        // Get the file via $_FILES or raw data.
-        $files   = $request->get_file_params();
-        $headers = $request->get_headers();
-
-        /*
-         * wp_unique_filename() will always add numeric suffix if the name looks like a sub-size to avoid conflicts.
-         * See /wp-includes/functions.php.
-         * With the following filter we can work around this safeguard.
-         */
-        $attachment_filename = get_attached_file( $attachment_id, true );
-        $attachment_filename = $attachment_filename ? wp_basename( $attachment_filename ) : null;
-
-        $filter_filename = static function ( $filename, $ext, $dir, $unique_filename_callback, $alt_filenames, $number ) use ( $attachment_filename ) {
-            return self::filter_wp_unique_filename( $filename, $dir, $number, $attachment_filename );
-        };
-
-        add_filter( 'wp_unique_filename', $filter_filename, 10, 6 );
-
-        $parent_post = get_post_parent( $attachment_id );
-
-        $time = null;
-
-        // Matches logic in media_handle_upload().
-        // The post date doesn't usually matter for pages, so don't backdate this upload.
-        if ( $parent_post && 'page' !== $parent_post->post_type && ! str_starts_with( $parent_post->post_date, '0000-00-00' ) ) {
-            $time = $parent_post->post_date;
-        }
-
-        if ( ! empty( $files ) ) {
-            $file = $this->upload_from_file( $files, $headers, $time );
-        } else {
-            $file = $this->upload_from_data( $request->get_body(), $headers, $time );
-        }
-
-        remove_filter( 'wp_unique_filename', $filter_filename );
-        remove_filter( 'image_editor_output_format', '__return_empty_array', 100 );
-
-        if ( is_wp_error( $file ) ) {
-            return $file;
-        }
-
-        $type = $file['type'];
-        $path = $file['file'];
-
-        $image_size = $request['image_size'];
-
-        $metadata = wp_get_attachment_metadata( $attachment_id, true );
-
-        if ( ! $metadata ) {
-            $metadata = array();
-        }
-
-        if ( 'original' === $image_size ) {
-            $metadata['original_image'] = wp_basename( $path );
-        } elseif ( 'scaled' === $image_size ) {
-            // The current attached file is the original; record it as original_image.
-            $current_file = get_attached_file( $attachment_id, true );
-
-            if ( ! $current_file ) {
-                return new WP_Error(
-                    'rest_sideload_no_attached_file',
-                    __( 'Unable to retrieve the attached file for this attachment.' ),
-                    array( 'status' => 404 )
-                );
-            }
-
-            $metadata['original_image'] = wp_basename( $current_file );
-
-            // Validate the scaled image before updating the attached file.
-            $size     = wp_getimagesize( $path );
-            $filesize = wp_filesize( $path );
-
-            if ( ! $size || ! $filesize ) {
-                return new WP_Error(
-                    'rest_sideload_invalid_image',
-                    __( 'Unable to read the scaled image file.' ),
-                    array( 'status' => 500 )
-                );
-            }
-
-            // Update the attached file to point to the scaled version.
-            if (
-                get_attached_file( $attachment_id, true ) !== $path &&
-                ! update_attached_file( $attachment_id, $path )
-            ) {
-                return new WP_Error(
-                    'rest_sideload_update_attached_file_failed',
-                    __( 'Unable to update the attached file for this attachment.' ),
-                    array( 'status' => 500 )
-                );
-            }
-
-            $metadata['width']    = $size[0];
-            $metadata['height']   = $size[1];
-            $metadata['filesize'] = $filesize;
-            $metadata['file']     = _wp_relative_upload_path( $path );
-        } else {
-            $metadata['sizes'] = $metadata['sizes'] ?? array();
-
-            $size = wp_getimagesize( $path );
-
-            $metadata['sizes'][ $image_size ] = array(
-                'width'     => $size ? $size[0] : 0,
-                'height'    => $size ? $size[1] : 0,
-                'file'      => wp_basename( $path ),
-                'mime-type' => $type,
-                'filesize'  => wp_filesize( $path ),
-            );
-        }
-
-        wp_update_attachment_metadata( $attachment_id, $metadata );
-
-        $response_request = new WP_REST_Request(
-            WP_REST_Server::READABLE,
-            rest_get_route_for_post( $attachment_id )
-        );
-
-        $response_request['context'] = 'edit';
-
-        if ( isset( $request['_fields'] ) ) {
-            $response_request['_fields'] = $request['_fields'];
-        }
-
-        $response = $this->prepare_item_for_response( get_post( $attachment_id ), $response_request );
-
-        $response->header( 'Location', rest_url( rest_get_route_for_post( $attachment_id ) ) );
-
-        return $response;
-    }
-
-    /**
-     * Filters wp_unique_filename during sideloads.
-     *
-     * wp_unique_filename() will always add numeric suffix if the name looks like a sub-size to avoid conflicts.
-     * Adding this closure to the filter helps work around this safeguard.
-     *
-     * Example: when uploading myphoto.jpeg, WordPress normally creates myphoto-150x150.jpeg,
-     * and when uploading myphoto-150x150.jpeg, it will be renamed to myphoto-150x150-1.jpeg
-     * However, here it is desired not to add the suffix in order to maintain the same
-     * naming convention as if the file was uploaded regularly.
-     *
-     * @since 7.0.0
-     *
-     * @link https://github.com/WordPress/wordpress-develop/blob/30954f7ac0840cfdad464928021d7f380940c347/src/wp-includes/functions.php#L2576-L2582
-     *
-     * @param string      $filename            Unique file name.
-     * @param string      $dir                 Directory path.
-     * @param int|string  $number              The highest number that was used to make the file name unique
-     *                                         or an empty string if unused.
-     * @param string|null $attachment_filename Original attachment file name.
-     * @return string Filtered file name.
-     */
-    private static function filter_wp_unique_filename( $filename, $dir, $number, $attachment_filename ) {
-        if ( ! is_int( $number ) || ! $attachment_filename ) {
-            return $filename;
-        }
-
-        $ext       = pathinfo( $filename, PATHINFO_EXTENSION );
-        $name      = pathinfo( $filename, PATHINFO_FILENAME );
-        $orig_name = pathinfo( $attachment_filename, PATHINFO_FILENAME );
-
-        if ( ! $ext || ! $name ) {
-            return $filename;
-        }
-
-        $matches = array();
-        if ( preg_match( '/(.*)-(\d+x\d+|scaled)-' . $number . '$/', $name, $matches ) ) {
-            $filename_without_suffix = $matches[1] . '-' . $matches[2] . ".$ext";
-            if ( $matches[1] === $orig_name && ! file_exists( "$dir/$filename_without_suffix" ) ) {
-                return $filename_without_suffix;
-            }
-        }
-
-        return $filename;
-    }
-
-    /**
-     * Finalizes an attachment after client-side media processing.
-     *
-     * Triggers the 'wp_generate_attachment_metadata' filter so that
-     * server-side plugins can process the attachment after all client-side
-     * operations (upload, thumbnail generation, sideloads) are complete.
-     *
-     * @since 7.0.0
-     *
-     * @param WP_REST_Request $request Full details about the request.
-     * @return WP_REST_Response|WP_Error Response object on success, WP_Error object on failure.
-     */
-    public function finalize_item( WP_REST_Request $request ) {
-        $attachment_id = $request['id'];
-
-        $post = $this->get_post( $attachment_id );
-        if ( is_wp_error( $post ) ) {
-            return $post;
-        }
-
-        $metadata = wp_get_attachment_metadata( $attachment_id );
-        if ( ! is_array( $metadata ) ) {
-            $metadata = array();
-        }
-
-        /** This filter is documented in wp-admin/includes/image.php */
-        $metadata = apply_filters( 'wp_generate_attachment_metadata', $metadata, $attachment_id, 'update' );
-
-        wp_update_attachment_metadata( $attachment_id, $metadata );
-
-        $response_request = new WP_REST_Request(
-            WP_REST_Server::READABLE,
-            rest_get_route_for_post( $attachment_id )
-        );
-
-        $response_request['context'] = 'edit';
-
-        if ( isset( $request['_fields'] ) ) {
-            $response_request['_fields'] = $request['_fields'];
-        }
-
-        return $this->prepare_item_for_response( $post, $response_request );
-    }
 }

trunk/src/wp-includes/script-modules.php

@@ -191 +191 @@
         }
 
-        // VIPS files are always minified — the non-minified versions are not
-        // shipped because they are ~10MB of inlined WASM with no debugging value.
-        if ( str_starts_with( $file_name, 'vips/' ) ) {
-            $file_name = str_replace( '.js', '.min.js', $file_name );
-        } elseif ( '' !== $suffix ) {
+        if ( '' !== $suffix ) {
             $file_name = str_replace( '.js', $suffix . '.js', $file_name );
         }

trunk/tests/phpunit/tests/media/wpCrossOriginIsolation.php

@@ -1 @@
-<?php
-
-/**
- * Tests for cross-origin isolation functions.
- *
- * @group media
- * @covers ::wp_set_up_cross_origin_isolation
- * @covers ::wp_start_cross_origin_isolation_output_buffer
- * @covers ::wp_is_client_side_media_processing_enabled
- */
-class Tests_Media_wpCrossOriginIsolation extends WP_UnitTestCase {
-
-    /**
-     * Original HTTP_USER_AGENT value.
-     */
-    private ?string $original_user_agent;
-
-    /**
-     * Original HTTP_HOST value.
-     */
-    private ?string $original_http_host;
-
-    /**
-     * Original HTTPS value.
-     */
-    private ?string $original_https;
-
-    /**
-     * Original $_GET['action'] value.
-     */
-    private ?string $original_get_action;
-
-    public function set_up() {
-        parent::set_up();
-        $this->original_user_agent = $_SERVER['HTTP_USER_AGENT'] ?? null;
-        $this->original_http_host  = $_SERVER['HTTP_HOST'] ?? null;
-        $this->original_https      = $_SERVER['HTTPS'] ?? null;
-        $this->original_get_action = $_GET['action'] ?? null;
-    }
-
-    public function tear_down() {
-        if ( null === $this->original_user_agent ) {
-            unset( $_SERVER['HTTP_USER_AGENT'] );
-        } else {
-            $_SERVER['HTTP_USER_AGENT'] = $this->original_user_agent;
-        }
-
-        if ( null === $this->original_http_host ) {
-            unset( $_SERVER['HTTP_HOST'] );
-        } else {
-            $_SERVER['HTTP_HOST'] = $this->original_http_host;
-        }
-
-        if ( null === $this->original_https ) {
-            unset( $_SERVER['HTTPS'] );
-        } else {
-            $_SERVER['HTTPS'] = $this->original_https;
-        }
-
-        if ( null === $this->original_get_action ) {
-            unset( $_GET['action'] );
-        } else {
-            $_GET['action'] = $this->original_get_action;
-        }
-
-        // Clean up any output buffers started during tests.
-        while ( ob_get_level() > 1 ) {
-            ob_end_clean();
-        }
-
-        remove_all_filters( 'wp_client_side_media_processing_enabled' );
-        parent::tear_down();
-    }
-
-    /**
-     * @ticket 64766
-     */
-    public function test_returns_early_when_client_side_processing_disabled() {
-        add_filter( 'wp_client_side_media_processing_enabled', '__return_false' );
-
-        // Should not error or start an output buffer.
-        $level_before = ob_get_level();
-        wp_set_up_cross_origin_isolation();
-        $level_after = ob_get_level();
-
-        $this->assertSame( $level_before, $level_after );
-    }
-
-    /**
-     * @ticket 64766
-     */
-    public function test_returns_early_when_no_screen() {
-        // No screen is set, so it should return early.
-        $level_before = ob_get_level();
-        wp_set_up_cross_origin_isolation();
-        $level_after = ob_get_level();
-
-        $this->assertSame( $level_before, $level_after );
-    }
-
-    /**
-     * This test must run in a separate process because the output buffer
-     * callback sends HTTP headers via header(), which would fail in the
-     * main PHPUnit process where output has already started.
-     *
-     * @ticket 64766
-     *
-     * @runInSeparateProcess
-     * @preserveGlobalState disabled
-     */
-    public function test_starts_output_buffer_for_chrome_137() {
-        $_SERVER['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36';
-
-        $level_before = ob_get_level();
-        wp_start_cross_origin_isolation_output_buffer();
-        $level_after = ob_get_level();
-
-        $this->assertSame( $level_before + 1, $level_after, 'Output buffer should be started for Chrome 137.' );
-
-        ob_end_clean();
-    }
-
-    /**
-     * @ticket 64766
-     */
-    public function test_does_not_start_output_buffer_for_chrome_136() {
-        $_SERVER['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36';
-
-        $level_before = ob_get_level();
-        wp_start_cross_origin_isolation_output_buffer();
-        $level_after = ob_get_level();
-
-        $this->assertSame( $level_before, $level_after, 'Output buffer should not be started for Chrome < 137.' );
-    }
-
-    /**
-     * @ticket 64766
-     */
-    public function test_does_not_start_output_buffer_for_firefox() {
-        $_SERVER['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Windows NT 10.0; rv:128.0) Gecko/20100101 Firefox/128.0';
-
-        $level_before = ob_get_level();
-        wp_start_cross_origin_isolation_output_buffer();
-        $level_after = ob_get_level();
-
-        $this->assertSame( $level_before, $level_after, 'Output buffer should not be started for Firefox.' );
-    }
-
-    /**
-     * @ticket 64766
-     */
-    public function test_does_not_start_output_buffer_for_safari() {
-        $_SERVER['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15';
-
-        $level_before = ob_get_level();
-        wp_start_cross_origin_isolation_output_buffer();
-        $level_after = ob_get_level();
-
-        $this->assertSame( $level_before, $level_after, 'Output buffer should not be started for Safari.' );
-    }
-
-    /**
-     * @ticket 64803
-     */
-    public function test_client_side_processing_disabled_on_non_secure_origin() {
-        $_SERVER['HTTP_HOST'] = 'example.com';
-        $_SERVER['HTTPS']     = '';
-
-        $this->assertFalse(
-            wp_is_client_side_media_processing_enabled(),
-            'Client-side media processing should be disabled on non-secure, non-localhost origins.'
-        );
-    }
-
-    /**
-     * @ticket 64803
-     */
-    public function test_client_side_processing_enabled_on_localhost() {
-        $_SERVER['HTTP_HOST'] = 'localhost';
-        $_SERVER['HTTPS']     = '';
-
-        $this->assertTrue(
-            wp_is_client_side_media_processing_enabled(),
-            'Client-side media processing should be enabled on localhost.'
-        );
-    }
-
-    /**
-     * Verifies that cross-origin elements get crossorigin="anonymous" added.
-     *
-     * @ticket 64766
-     *
-     * @runInSeparateProcess
-     * @preserveGlobalState disabled
-     *
-     * @dataProvider data_elements_that_should_get_crossorigin
-     *
-     * @param string $html HTML input to process.
-     */
-    public function test_output_buffer_adds_crossorigin( $html ) {
-        $_SERVER['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36';
-
-        ob_start();
-
-        wp_start_cross_origin_isolation_output_buffer();
-        echo $html;
-
-        ob_end_flush();
-        $output = ob_get_clean();
-
-        $this->assertStringContainsString( 'crossorigin="anonymous"', $output );
-    }
-
-    /**
-     * Data provider for elements that should receive crossorigin="anonymous".
-     *
-     * @return array[]
-     */
-    public function data_elements_that_should_get_crossorigin() {
-        return array(
-            'cross-origin script'              => array(
-                '<script src="https://external.example.com/script.js"></script>',
-            ),
-            'cross-origin audio'               => array(
-                '<audio src="https://external.example.com/audio.mp3"></audio>',
-            ),
-            'cross-origin video'               => array(
-                '<video src="https://external.example.com/video.mp4"></video>',
-            ),
-            'cross-origin link stylesheet'     => array(
-                '<link rel="stylesheet" href="https://external.example.com/style.css" />',
-            ),
-            'cross-origin source inside video' => array(
-                '<video><source src="https://external.example.com/video.mp4" type="video/mp4" /></video>',
-            ),
-        );
-    }
-
-    /**
-     * Verifies that certain elements do not get crossorigin="anonymous" added.
-     *
-     * Images are excluded because under Document-Isolation-Policy:
-     * isolate-and-credentialless, the browser handles cross-origin images
-     * in credentialless mode without needing explicit CORS headers.
-     *
-     * @ticket 64766
-     *
-     * @runInSeparateProcess
-     * @preserveGlobalState disabled
-     *
-     * @dataProvider data_elements_that_should_not_get_crossorigin
-     *
-     * @param string $html HTML input to process.
-     */
-    public function test_output_buffer_does_not_add_crossorigin( $html ) {
-        $_SERVER['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36';
-
-        ob_start();
-
-        wp_start_cross_origin_isolation_output_buffer();
-        echo $html;
-
-        ob_end_flush();
-        $output = ob_get_clean();
-
-        $this->assertStringNotContainsString( 'crossorigin="anonymous"', $output );
-    }
-
-    /**
-     * Data provider for elements that should not receive crossorigin="anonymous".
-     *
-     * @return array[]
-     */
-    public function data_elements_that_should_not_get_crossorigin() {
-        return array(
-            'cross-origin img'                        => array(
-                '<img src="https://external.example.com/image.jpg" />',
-            ),
-            'cross-origin img with srcset'            => array(
-                '<img src="https://external.example.com/image.jpg" srcset="https://external.example.com/image-2x.jpg 2x" />',
-            ),
-            'link with cross-origin imagesrcset only' => array(
-                '<link rel="preload" as="image" imagesrcset="https://external.example.com/image.jpg 1x" href="https://core.trac.wordpress.org/local-fallback.jpg" />',
-            ),
-            'relative URL script'                     => array(
-                '<script src="https://core.trac.wordpress.org/wp-includes/js/wp-embed.min.js"></script>',
-            ),
-        );
-    }
-
-    /**
-     * Same-origin URLs should not get crossorigin="anonymous".
-     *
-     * Uses site_url() at runtime since the test domain varies by CI config.
-     *
-     * @ticket 64766
-     *
-     * @runInSeparateProcess
-     * @preserveGlobalState disabled
-     */
-    public function test_output_buffer_does_not_add_crossorigin_to_same_origin() {
-        $_SERVER['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36';
-
-        ob_start();
-
-        wp_start_cross_origin_isolation_output_buffer();
-        echo '<script src="' . site_url( '/wp-includes/js/wp-embed.min.js' ) . '"></script>';
-
-        ob_end_flush();
-        $output = ob_get_clean();
-
-        $this->assertStringNotContainsString( 'crossorigin="anonymous"', $output );
-    }
-
-    /**
-     * Elements that already have a crossorigin attribute should not be modified.
-     *
-     * @ticket 64766
-     *
-     * @runInSeparateProcess
-     * @preserveGlobalState disabled
-     */
-    public function test_output_buffer_does_not_override_existing_crossorigin() {
-        $_SERVER['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36';
-
-        ob_start();
-
-        wp_start_cross_origin_isolation_output_buffer();
-        echo '<script src="https://external.example.com/script.js" crossorigin="use-credentials"></script>';
-
-        ob_end_flush();
-        $output = ob_get_clean();
-
-        $this->assertStringContainsString( 'crossorigin="use-credentials"', $output, 'Existing crossorigin attribute should not be overridden.' );
-        $this->assertStringNotContainsString( 'crossorigin="anonymous"', $output );
-    }
-
-    /**
-     * Multiple tags in the same output should each be handled correctly.
-     *
-     * @ticket 64766
-     *
-     * @runInSeparateProcess
-     * @preserveGlobalState disabled
-     */
-    public function test_output_buffer_handles_mixed_tags() {
-        $_SERVER['HTTP_USER_AGENT'] = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36';
-
-        ob_start();
-
-        wp_start_cross_origin_isolation_output_buffer();
-        echo '<img src="https://external.example.com/image.jpg" />';
-        echo '<script src="https://external.example.com/script.js"></script>';
-        echo '<audio src="https://external.example.com/audio.mp3"></audio>';
-
-        ob_end_flush();
-        $output = ob_get_clean();
-
-        // IMG should NOT have crossorigin.
-        $this->assertStringContainsString( '<img src="https://external.example.com/image.jpg" />', $output, 'IMG should not be modified.' );
-
-        // Script and audio should have crossorigin.
-        $this->assertSame( 2, substr_count( $output, 'crossorigin="anonymous"' ), 'Script and audio should both get crossorigin, but not img.' );
-    }
-}

trunk/tests/phpunit/tests/media/wpGetChromiumMajorVersion.php

@@ -1 @@
-<?php
-
-/**
- * Tests for the `wp_get_chromium_major_version()` function.
- *
- * @group media
- * @covers ::wp_get_chromium_major_version
- */
-class Tests_Media_wpGetChromiumMajorVersion extends WP_UnitTestCase {
-
-    /**
-     * Original HTTP_USER_AGENT value.
-     *
-     * @var string|null
-     */
-    private $original_user_agent;
-
-    public function set_up() {
-        parent::set_up();
-        $this->original_user_agent = isset( $_SERVER['HTTP_USER_AGENT'] ) ? $_SERVER['HTTP_USER_AGENT'] : null;
-    }
-
-    public function tear_down() {
-        if ( null === $this->original_user_agent ) {
-            unset( $_SERVER['HTTP_USER_AGENT'] );
-        } else {
-            $_SERVER['HTTP_USER_AGENT'] = $this->original_user_agent;
-        }
-        parent::tear_down();
-    }
-
-    /**
-     * @ticket 64766
-     */
-    public function test_returns_null_when_no_user_agent() {
-        unset( $_SERVER['HTTP_USER_AGENT'] );
-        $this->assertNull( wp_get_chromium_major_version() );
-    }
-
-    /**
-     * @ticket 64766
-     *
-     * @dataProvider data_user_agents
-     *
-     * @param string   $user_agent The user agent string.
-     * @param int|null $expected   The expected Chromium major version, or null.
-     */
-    public function test_returns_expected_version( $user_agent, $expected ) {
-        $_SERVER['HTTP_USER_AGENT'] = $user_agent;
-        $this->assertSame( $expected, wp_get_chromium_major_version() );
-    }
-
-    /**
-     * Data provider for test_returns_expected_version.
-     *
-     * @return array[]
-     */
-    public function data_user_agents() {
-        return array(
-            'empty user agent'   => array( '', null ),
-            'Firefox'            => array( 'Mozilla/5.0 (Windows NT 10.0; rv:128.0) Gecko/20100101 Firefox/128.0', null ),
-            'Safari'             => array( 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15', null ),
-            'Chrome 137'         => array( 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36', 137 ),
-            'Edge 137'           => array( 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Edg/137.0.0.0', 137 ),
-            'Opera (Chrome 136)' => array( 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 OPR/122.0.0.0', 136 ),
-            'Chrome 100'         => array( 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36', 100 ),
-        );
-    }
-}

trunk/tests/phpunit/tests/rest-api/rest-attachments-controller.php

@@ -193 +193 @@
 
         parent::tear_down();
-    }
-
-    /**
-     * Enables client-side media processing and reinitializes the REST server
-     * so that the sideload and finalize routes are registered.
-     */
-    private function enable_client_side_media_processing(): void {
-        add_filter( 'wp_client_side_media_processing_enabled', '__return_true' );
-
-        global $wp_rest_server;
-        $wp_rest_server = new Spy_REST_Server();
-        do_action( 'rest_api_init', $wp_rest_server );
     }
 
@@ -2943 +2931 @@
 
     /**
-     * Test that unsupported image type check is skipped when not generating sub-sizes.
-     *
-     * When the client handles image processing (generate_sub_sizes is false),
-     * the server should not check image editor support.
-     *
-     * Tests the permissions check directly with file params set, since the core
-     * check uses get_file_params() which is only populated for multipart uploads.
-     *
-     * @ticket 64836
-     */
-    public function test_upload_unsupported_image_type_skipped_when_not_generating_sub_sizes() {
-        wp_set_current_user( self::$author_id );
-
-        add_filter( 'wp_image_editors', '__return_empty_array' );
-
-        $request = new WP_REST_Request( 'POST', '/wp/v2/media' );
-        $request->set_file_params(
-            array(
-                'file' => array(
-                    'name'     => 'avif-lossy.avif',
-                    'type'     => 'image/avif',
-                    'tmp_name' => self::$test_avif_file,
-                    'error'    => 0,
-                    'size'     => filesize( self::$test_avif_file ),
-                ),
-            )
-        );
-        $request->set_param( 'generate_sub_sizes', false );
-
-        $controller = new WP_REST_Attachments_Controller( 'attachment' );
-        $result     = $controller->create_item_permissions_check( $request );
-
-        // Should pass because generate_sub_sizes is false (client handles processing).
-        $this->assertTrue( $result );
-    }
-
-    /**
      * Test that unsupported image type check is enforced when generating sub-sizes.
      *
@@ -3241 +3192 @@
         $this->assertIsArray( $captured_data, 'Data passed to wp_insert_attachment should be an array' );
     }
-
-    /**
-     * Tests sideloading a scaled image for an existing attachment.
-     *
-     * @ticket 64737
-     * @requires function imagejpeg
-     */
-    public function test_sideload_scaled_image() {
-        $this->enable_client_side_media_processing();
-
-        wp_set_current_user( self::$author_id );
-
-        // First, create an attachment.
-        $request = new WP_REST_Request( 'POST', '/wp/v2/media' );
-        $request->set_header( 'Content-Type', 'image/jpeg' );
-        $request->set_header( 'Content-Disposition', 'attachment; filename=canola.jpg' );
-        $request->set_body( file_get_contents( self::$test_file ) );
-        $response      = rest_get_server()->dispatch( $request );
-        $data          = $response->get_data();
-        $attachment_id = $data['id'];
-
-        $this->assertSame( 201, $response->get_status() );
-
-        $original_file = get_attached_file( $attachment_id, true );
-
-        // Sideload a "scaled" version of the image.
-        $request = new WP_REST_Request( 'POST', "/wp/v2/media/{$attachment_id}/sideload" );
-        $request->set_header( 'Content-Type', 'image/jpeg' );
-        $request->set_header( 'Content-Disposition', 'attachment; filename=canola-scaled.jpg' );
-        $request->set_param( 'image_size', 'scaled' );
-        $request->set_body( file_get_contents( self::$test_file ) );
-        $response = rest_get_server()->dispatch( $request );
-
-        $this->assertSame( 200, $response->get_status(), 'Sideloading scaled image should succeed.' );
-
-        $metadata = wp_get_attachment_metadata( $attachment_id );
-
-        // The original file should now be recorded as original_image.
-        $this->assertArrayHasKey( 'original_image', $metadata, 'Metadata should contain original_image.' );
-        $this->assertSame( wp_basename( $original_file ), $metadata['original_image'], 'original_image should be the basename of the original attached file.' );
-
-        // The attached file should now point to the scaled version.
-        $new_file = get_attached_file( $attachment_id, true );
-        $this->assertStringContainsString( 'scaled', wp_basename( $new_file ), 'Attached file should now be the scaled version.' );
-
-        // Metadata should have width, height, filesize, and file updated.
-        $this->assertArrayHasKey( 'width', $metadata, 'Metadata should contain width.' );
-        $this->assertArrayHasKey( 'height', $metadata, 'Metadata should contain height.' );
-        $this->assertArrayHasKey( 'filesize', $metadata, 'Metadata should contain filesize.' );
-        $this->assertArrayHasKey( 'file', $metadata, 'Metadata should contain file.' );
-        $this->assertStringContainsString( 'scaled', $metadata['file'], 'Metadata file should reference the scaled version.' );
-        $this->assertGreaterThan( 0, $metadata['width'], 'Width should be positive.' );
-        $this->assertGreaterThan( 0, $metadata['height'], 'Height should be positive.' );
-        $this->assertGreaterThan( 0, $metadata['filesize'], 'Filesize should be positive.' );
-    }
-
-    /**
-     * Tests that sideloading scaled image requires authentication.
-     *
-     * @ticket 64737
-     * @requires function imagejpeg
-     */
-    public function test_sideload_scaled_image_requires_auth() {
-        $this->enable_client_side_media_processing();
-
-        wp_set_current_user( self::$author_id );
-
-        // Create an attachment.
-        $request = new WP_REST_Request( 'POST', '/wp/v2/media' );
-        $request->set_header( 'Content-Type', 'image/jpeg' );
-        $request->set_header( 'Content-Disposition', 'attachment; filename=canola.jpg' );
-        $request->set_body( file_get_contents( self::$test_file ) );
-        $response      = rest_get_server()->dispatch( $request );
-        $attachment_id = $response->get_data()['id'];
-
-        // Try sideloading without authentication.
-        wp_set_current_user( 0 );
-
-        $request = new WP_REST_Request( 'POST', "/wp/v2/media/{$attachment_id}/sideload" );
-        $request->set_header( 'Content-Type', 'image/jpeg' );
-        $request->set_header( 'Content-Disposition', 'attachment; filename=canola-scaled.jpg' );
-        $request->set_param( 'image_size', 'scaled' );
-        $request->set_body( file_get_contents( self::$test_file ) );
-        $response = rest_get_server()->dispatch( $request );
-
-        $this->assertErrorResponse( 'rest_cannot_edit_image', $response, 401 );
-    }
-
-    /**
-     * Tests that the sideload endpoint includes 'scaled' in the image_size enum.
-     *
-     * @ticket 64737
-     */
-    public function test_sideload_route_includes_scaled_enum() {
-        $this->enable_client_side_media_processing();
-
-        $server = rest_get_server();
-        $routes = $server->get_routes();
-
-        $endpoint = '/wp/v2/media/(?P<id>[\d]+)/sideload';
-        $this->assertArrayHasKey( $endpoint, $routes, 'Sideload route should exist.' );
-
-        $route    = $routes[ $endpoint ];
-        $endpoint = $route[0];
-        $args     = $endpoint['args'];
-
-        $param_name = 'image_size';
-        $this->assertArrayHasKey( $param_name, $args, 'Route should have image_size arg.' );
-        $this->assertContains( 'scaled', $args[ $param_name ]['enum'], 'image_size enum should include scaled.' );
-    }
-
-    /**
-     * Tests the filter_wp_unique_filename method handles the -scaled suffix.
-     *
-     * @ticket 64737
-     * @requires function imagejpeg
-     */
-    public function test_sideload_scaled_unique_filename() {
-        $this->enable_client_side_media_processing();
-
-        wp_set_current_user( self::$author_id );
-
-        // Create an attachment.
-        $request = new WP_REST_Request( 'POST', '/wp/v2/media' );
-        $request->set_header( 'Content-Type', 'image/jpeg' );
-        $request->set_header( 'Content-Disposition', 'attachment; filename=canola.jpg' );
-        $request->set_body( file_get_contents( self::$test_file ) );
-        $response      = rest_get_server()->dispatch( $request );
-        $attachment_id = $response->get_data()['id'];
-
-        // Sideload with the -scaled suffix.
-        $request = new WP_REST_Request( 'POST', "/wp/v2/media/{$attachment_id}/sideload" );
-        $request->set_header( 'Content-Type', 'image/jpeg' );
-        $request->set_header( 'Content-Disposition', 'attachment; filename=canola-scaled.jpg' );
-        $request->set_param( 'image_size', 'scaled' );
-        $request->set_body( file_get_contents( self::$test_file ) );
-        $response = rest_get_server()->dispatch( $request );
-
-        $this->assertSame( 200, $response->get_status(), 'Sideloading scaled image should succeed.' );
-
-        // The filename should retain the -scaled suffix without numeric disambiguation.
-        $new_file = get_attached_file( $attachment_id, true );
-        $basename = wp_basename( $new_file );
-        $this->assertMatchesRegularExpression( '/canola-scaled\.jpg$/', $basename, 'Scaled filename should not have numeric suffix appended.' );
-    }
-
-    /**
-     * Tests that sideloading a scaled image for a different attachment retains the numeric suffix
-     * when a file with the same name already exists on disk.
-     *
-     * @ticket 64737
-     * @requires function imagejpeg
-     */
-    public function test_sideload_scaled_unique_filename_conflict() {
-        $this->enable_client_side_media_processing();
-
-        wp_set_current_user( self::$author_id );
-
-        // Create the first attachment.
-        $request = new WP_REST_Request( 'POST', '/wp/v2/media' );
-        $request->set_header( 'Content-Type', 'image/jpeg' );
-        $request->set_header( 'Content-Disposition', 'attachment; filename=canola.jpg' );
-        $request->set_body( file_get_contents( self::$test_file ) );
-        $response        = rest_get_server()->dispatch( $request );
-        $attachment_id_a = $response->get_data()['id'];
-
-        // Sideload a scaled image for attachment A, creating canola-scaled.jpg on disk.
-        $request = new WP_REST_Request( 'POST', "/wp/v2/media/{$attachment_id_a}/sideload" );
-        $request->set_header( 'Content-Type', 'image/jpeg' );
-        $request->set_header( 'Content-Disposition', 'attachment; filename=canola-scaled.jpg' );
-        $request->set_param( 'image_size', 'scaled' );
-        $request->set_body( file_get_contents( self::$test_file ) );
-        $response = rest_get_server()->dispatch( $request );
-
-        $this->assertSame( 200, $response->get_status(), 'First sideload should succeed.' );
-
-        // Create a second, different attachment.
-        $request = new WP_REST_Request( 'POST', '/wp/v2/media' );
-        $request->set_header( 'Content-Type', 'image/jpeg' );
-        $request->set_header( 'Content-Disposition', 'attachment; filename=other.jpg' );
-        $request->set_body( file_get_contents( self::$test_file ) );
-        $response        = rest_get_server()->dispatch( $request );
-        $attachment_id_b = $response->get_data()['id'];
-
-        // Sideload scaled for attachment B using the same filename that already exists on disk.
-        $request = new WP_REST_Request( 'POST', "/wp/v2/media/{$attachment_id_b}/sideload" );
-        $request->set_header( 'Content-Type', 'image/jpeg' );
-        $request->set_header( 'Content-Disposition', 'attachment; filename=canola-scaled.jpg' );
-        $request->set_param( 'image_size', 'scaled' );
-        $request->set_body( file_get_contents( self::$test_file ) );
-        $response = rest_get_server()->dispatch( $request );
-
-        $this->assertSame( 200, $response->get_status(), 'Second sideload should succeed.' );
-
-        // The filename should have a numeric suffix since the base name does not match this attachment.
-        $new_file = get_attached_file( $attachment_id_b, true );
-        $basename = wp_basename( $new_file );
-        $this->assertMatchesRegularExpression( '/canola-scaled-\d+\.jpg$/', $basename, 'Scaled filename should have numeric suffix when file conflicts with a different attachment.' );
-    }
-
-    /**
-     * Tests that the finalize endpoint triggers wp_generate_attachment_metadata.
-     *
-     * @ticket 62243
-     * @covers WP_REST_Attachments_Controller::finalize_item
-     * @requires function imagejpeg
-     */
-    public function test_finalize_item(): void {
-        $this->enable_client_side_media_processing();
-
-        wp_set_current_user( self::$author_id );
-
-        // Create an attachment.
-        $request = new WP_REST_Request( 'POST', '/wp/v2/media' );
-        $request->set_header( 'Content-Type', 'image/jpeg' );
-        $request->set_header( 'Content-Disposition', 'attachment; filename=canola.jpg' );
-        $request->set_body( (string) file_get_contents( self::$test_file ) );
-        $response      = rest_get_server()->dispatch( $request );
-        $attachment_id = $response->get_data()['id'];
-
-        $this->assertSame( 201, $response->get_status() );
-
-        // Track whether wp_generate_attachment_metadata filter fires.
-        $filter_metadata = null;
-        $filter_id       = null;
-        $filter_context  = null;
-        add_filter(
-            'wp_generate_attachment_metadata',
-            function ( array $metadata, int $id, string $context ) use ( &$filter_metadata, &$filter_id, &$filter_context ) {
-                $filter_metadata = $metadata;
-                $filter_id       = $id;
-                $filter_context  = $context;
-                $metadata['foo'] = 'bar';
-                return $metadata;
-            },
-            10,
-            3
-        );
-
-        // Call the finalize endpoint.
-        $request  = new WP_REST_Request( 'POST', "/wp/v2/media/{$attachment_id}/finalize" );
-        $response = rest_get_server()->dispatch( $request );
-
-        $this->assertSame( 200, $response->get_status(), 'Finalize endpoint should return 200.' );
-        $this->assertIsArray( $filter_metadata );
-        $this->assertStringContainsString( 'canola', $filter_metadata['file'], 'Expected the canola image to have been had its metadata updated.' );
-        $this->assertSame( $attachment_id, $filter_id, 'Expected the post ID to be passed to the filter.' );
-        $this->assertSame( 'update', $filter_context, 'Filter context should be "update".' );
-        $resulting_metadata = wp_get_attachment_metadata( $attachment_id );
-        $this->assertIsArray( $resulting_metadata );
-        $this->assertArrayHasKey( 'foo', $resulting_metadata, 'Expected new metadata key to have been added.' );
-        $this->assertSame( 'bar', $resulting_metadata['foo'], 'Expected filtered metadata to be updated.' );
-    }
-
-    /**
-     * Tests that the finalize endpoint requires authentication.
-     *
-     * @ticket 62243
-     * @covers WP_REST_Attachments_Controller::finalize_item
-     * @requires function imagejpeg
-     */
-    public function test_finalize_item_requires_auth(): void {
-        $this->enable_client_side_media_processing();
-
-        wp_set_current_user( self::$author_id );
-
-        // Create an attachment.
-        $request = new WP_REST_Request( 'POST', '/wp/v2/media' );
-        $request->set_header( 'Content-Type', 'image/jpeg' );
-        $request->set_header( 'Content-Disposition', 'attachment; filename=canola.jpg' );
-        $request->set_body( (string) file_get_contents( self::$test_file ) );
-        $response      = rest_get_server()->dispatch( $request );
-        $attachment_id = $response->get_data()['id'];
-
-        // Try finalizing without authentication.
-        wp_set_current_user( 0 );
-
-        $request  = new WP_REST_Request( 'POST', "/wp/v2/media/{$attachment_id}/finalize" );
-        $response = rest_get_server()->dispatch( $request );
-
-        $this->assertErrorResponse( 'rest_cannot_edit_image', $response, 401 );
-    }
-
-    /**
-     * Tests that the finalize endpoint returns error for invalid attachment ID.
-     *
-     * @ticket 62243
-     * @covers WP_REST_Attachments_Controller::finalize_item
-     */
-    public function test_finalize_item_invalid_id(): void {
-        $this->enable_client_side_media_processing();
-
-        wp_set_current_user( self::$author_id );
-
-        $invalid_id = PHP_INT_MAX;
-        $this->assertNull( get_post( $invalid_id ), 'Expected invalid ID to not exist for an existing post.' );
-        $request  = new WP_REST_Request( 'POST', "/wp/v2/media/$invalid_id/finalize" );
-        $response = rest_get_server()->dispatch( $request );
-
-        $this->assertErrorResponse( 'rest_post_invalid_id', $response, 404 );
-    }
 }

trunk/tests/phpunit/tests/rest-api/rest-schema-setup.php

@@ -16 +16 @@
     public function set_up() {
         parent::set_up();
-
-        // Ensure client-side media processing is enabled so the sideload route is registered.
-        add_filter( 'wp_client_side_media_processing_enabled', '__return_true' );
 
         /** @var WP_REST_Server $wp_rest_server */
@@ -113 +110 @@
             '/wp/v2/media/(?P<id>[\\d]+)/post-process',
             '/wp/v2/media/(?P<id>[\\d]+)/edit',
-            '/wp/v2/media/(?P<id>[\\d]+)/sideload',
-            '/wp/v2/media/(?P<id>[\\d]+)/finalize',
             '/wp/v2/blocks',
             '/wp/v2/blocks/(?P<id>[\d]+)',

trunk/tests/phpunit/tests/script-modules/wpScriptModules.php

@@ -1905 +1905 @@
 
     /**
-     * Tests that VIPS script modules always use minified file paths.
-     *
-     * Non-minified VIPS files are not shipped because they are ~10MB of
-     * inlined WASM with no debugging value, so the registration should
-     * always point to the .min.js variants.
-     *
-     * @ticket 64734
+     * Tests that VIPS script modules are not registered in Core.
+     *
+     * The wasm-vips library is plugin-only and should not be included
+     * in WordPress Core builds due to its large size (~16MB per file).
+     *
+     * @ticket 64906
      *
      * @covers ::wp_default_script_modules
      */
-    public function test_vips_script_modules_always_use_minified_paths() {
+    public function test_vips_script_modules_not_registered_in_core() {
         wp_default_script_modules();
         wp_enqueue_script_module( '@wordpress/vips/loader' );
@@ -1921 +1920 @@
         $actual = get_echo( array( wp_script_modules(), 'print_enqueued_script_modules' ) );
 
-        $this->assertStringContainsString( 'vips/loader.min.js', $actual );
-        $this->assertStringNotContainsString( 'vips/loader.js"', $actual );
+        $this->assertStringNotContainsString( 'vips', $actual );
     }
 

trunk/tests/qunit/fixtures/wp-api-generated.js

@@ -3148 +3148 @@
                             "description": "The ID for the associated post of the attachment.",
                             "type": "integer",
-                            "required": false
-                        },
-                        "generate_sub_sizes": {
-                            "type": "boolean",
-                            "default": true,
-                            "description": "Whether to generate image sub sizes.",
-                            "required": false
-                        },
-                        "convert_format": {
-                            "type": "boolean",
-                            "default": true,
-                            "description": "Whether to convert image formats.",
                             "required": false
                         }
@@ -3677 +3665 @@
             ]
         },
-        "/wp/v2/media/(?P<id>[\\d]+)/sideload": {
-            "namespace": "wp/v2",
-            "methods": [
-                "POST"
-            ],
-            "endpoints": [
-                {
-                    "methods": [
-                        "POST"
-                    ],
-                    "args": {
-                        "id": {
-                            "description": "Unique identifier for the attachment.",
-                            "type": "integer",
-                            "required": false
-                        },
-                        "image_size": {
-                            "description": "Image size.",
-                            "type": "string",
-                            "enum": [
-                                "thumbnail",
-                                "medium",
-                                "medium_large",
-                                "large",
-                                "1536x1536",
-                                "2048x2048",
-                                "original",
-                                "full",
-                                "scaled"
-                            ],
-                            "required": true
-                        },
-                        "convert_format": {
-                            "type": "boolean",
-                            "default": true,
-                            "description": "Whether to convert image formats.",
-                            "required": false
-                        }
-                    }
-                }
-            ]
-        },
-        "/wp/v2/media/(?P<id>[\\d]+)/finalize": {
-            "namespace": "wp/v2",
-            "methods": [
-                "POST"
-            ],
-            "endpoints": [
-                {
-                    "methods": [
-                        "POST"
-                    ],
-                    "args": {
-                        "id": {
-                            "description": "Unique identifier for the attachment.",
-                            "type": "integer",
-                            "required": false
-                        }
-                    }
-                }
-            ]
-        },
         "/wp/v2/menu-items": {
             "namespace": "wp/v2",
@@ -12775 +12701 @@
         }
     },
-    "image_sizes": {
-        "thumbnail": {
-            "width": 150,
-            "height": 150,
-            "crop": true
-        },
-        "medium": {
-            "width": 300,
-            "height": 300,
-            "crop": false
-        },
-        "medium_large": {
-            "width": 768,
-            "height": 0,
-            "crop": false
-        },
-        "large": {
-            "width": 1024,
-            "height": 1024,
-            "crop": false
-        },
-        "1536x1536": {
-            "width": 1536,
-            "height": 1536,
-            "crop": false
-        },
-        "2048x2048": {
-            "width": 2048,
-            "height": 2048,
-            "crop": false
-        }
-    },
-    "image_size_threshold": 2560,
-    "image_output_formats": {},
-    "jpeg_interlaced": false,
-    "png_interlaced": false,
-    "gif_interlaced": false,
     "site_logo": 0,
     "site_icon": 0,

trunk/tools/gutenberg/copy.js

@@ -260 +260 @@
 
             if ( entry.isDirectory() ) {
+                // Skip plugin-only packages (e.g., vips/wasm) that should not be in Core.
+                if ( entry.name === 'vips' ) {
+                    continue;
+                }
                 processDirectory( fullPath, baseDir );
             } else if ( entry.name.endsWith( '.min.asset.php' ) ) {
@@ -343 +347 @@
             if ( ! assetData.dependencies ) {
                 assetData.dependencies = [];
+            }
+
+            // Strip plugin-only module dependencies (e.g., vips) that are not in Core.
+            if ( Array.isArray( assetData.module_dependencies ) ) {
+                assetData.module_dependencies =
+                    assetData.module_dependencies.filter(
+                        ( dep ) =>
+                            ! ( dep.id || dep ).startsWith(
+                                '@wordpress/vips'
+                            )
+                    );
             }