id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
21024	send_origin_headers for admin-ajax	batmoo	ryan	"admin-ajax should allow cross-domain requests for known domains using by sending the correct {{{Access-Control-Allow-Origin}}} headers using {{{send_origin_headers()}}}.

Note that the pre-flighted {{{OPTIONS}}} request that browsers make to check if the origin is allowed, does not send the necessary params (specifically ""action""), which means that admin-ajax's {{{if ( empty( $_REQUEST['action'] ) )}}} check causes the request to fail so that needs to be accounted for.

We should also send the {{{Access-Control-Allow-Credentials: true}}} header to allow authenticated cross-domain requests via the {{{withCredentials: true}}} flag. Maybe this can be an argument for {{{send_origin_headers}}}?"	enhancement	closed	normal	3.5	General		normal	fixed	has-patch needs-testing commit	batmoo johnjamesjacoby