WordPress.org

Make WordPress Core

Ticket #21024: 21024.diff

File 21024.diff, 1.3 KB (added by nacin, 6 years ago)
  • wp-includes/http.php

     
    284284 * Send Access-Control-Allow-Origin and related headers if the current request
    285285 * is from an allowed origin.
    286286 *
     287 * If the request is an OPTIONS request, the script exits with either access
     288 * control headers sent, or a 403 response if the origin is not allowed. For
     289 * other request methods, you will receive a return value.
     290 *
    287291 * @since 3.4.0
    288292 *
    289293 * @return bool|string Returns the origin URL if headers are sent. Returns false
     
    291295 */
    292296function send_origin_headers() {
    293297        $origin = get_http_origin();
    294         if ( ! is_allowed_http_origin( $origin ) )
    295                 return false;
    296298
    297         @header( 'Access-Control-Allow-Origin: ' .  $origin );
    298         @header( 'Access-Control-Allow-Credentials: true' );
     299        if ( is_allowed_http_origin( $origin ) ) {
     300                @header( 'Access-Control-Allow-Origin: ' .  $origin );
     301                @header( 'Access-Control-Allow-Credentials: true' );
     302                if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] )
     303                        exit;
     304                return $origin;
     305        }
    299306
    300         return $origin;
    301 }
    302  No newline at end of file
     307        if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] ) {
     308                status_header( 403 );
     309                exit;
     310        }
     311
     312        return false;
     313}