sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

REST API: Allow "Origin: null" from file: URLs.

Browse Source 
Browsers send an "Origin: null" header value for file and data URLs, as they can be generated by any document, and their origin is not guaranteed. Since we want to allow any URL to access the API (intentionally disabling the CORS protections), we need to special-case the non-URL "null" value.

Props joehoyle.
Fixes #40011.


git-svn-id: https://develop.svn.wordpress.org/trunk@40600 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Ryan McCue 2017-05-10 04:22:01 +00:00
parent 2e9582fd6d
commit 3f66cf5a2d
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/wp-includes/rest-api.php
View File

@ -525,7 +525,11 @@ function rest_send_cors_headers( $value ) {
$origin = get_http_origin();
if ( $origin ) {
header( 'Access-Control-Allow-Origin: ' . esc_url_raw( $origin ) );
// Requests from file:// and data: URLs send "Origin: null"
if ( 'null' !== $origin ) {
$origin = esc_url_raw( $origin );
}
header( 'Access-Control-Allow-Origin: ' . $origin );
header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
header( 'Access-Control-Allow-Credentials: true' );
header( 'Vary: Origin' );