send_origin_headers for admin-ajax
|Reported by:||batmoo||Owned by:||ryan|
|Severity:||normal||Keywords:||has-patch needs-testing commit|
admin-ajax should allow cross-domain requests for known domains using by sending the correct Access-Control-Allow-Origin headers using send_origin_headers().
Note that the pre-flighted OPTIONS request that browsers make to check if the origin is allowed, does not send the necessary params (specifically "action"), which means that admin-ajax's if ( empty( $_REQUEST['action'] ) ) check causes the request to fail so that needs to be accounted for.
We should also send the Access-Control-Allow-Credentials: true header to allow authenticated cross-domain requests via the withCredentials: true flag. Maybe this can be an argument for send_origin_headers?
Change History (13)
- Owner set to ryan
- Resolution set to fixed
- Status changed from new to closed