From 3f66cf5a2d8dd787c2334c050c4dd222c48633a5 Mon Sep 17 00:00:00 2001 From: Ryan McCue Date: Wed, 10 May 2017 04:22:01 +0000 Subject: [PATCH] REST API: Allow "Origin: null" from file: URLs. Browsers send an "Origin: null" header value for file and data URLs, as they can be generated by any document, and their origin is not guaranteed. Since we want to allow any URL to access the API (intentionally disabling the CORS protections), we need to special-case the non-URL "null" value. Props joehoyle. Fixes #40011. git-svn-id: https://develop.svn.wordpress.org/trunk@40600 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/rest-api.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/rest-api.php b/src/wp-includes/rest-api.php index e6cdc3a959..ec7c50d27b 100644 --- a/src/wp-includes/rest-api.php +++ b/src/wp-includes/rest-api.php @@ -525,7 +525,11 @@ function rest_send_cors_headers( $value ) { $origin = get_http_origin(); if ( $origin ) { - header( 'Access-Control-Allow-Origin: ' . esc_url_raw( $origin ) ); + // Requests from file:// and data: URLs send "Origin: null" + if ( 'null' !== $origin ) { + $origin = esc_url_raw( $origin ); + } + header( 'Access-Control-Allow-Origin: ' . $origin ); header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' ); header( 'Access-Control-Allow-Credentials: true' ); header( 'Vary: Origin' );