WordPress.org

Make WordPress Core

Ticket #21024: 21024.diff

File 21024.diff, 1.3 KB (added by nacin, 3 years ago)
  • wp-includes/http.php

     
    284284 * Send Access-Control-Allow-Origin and related headers if the current request 
    285285 * is from an allowed origin. 
    286286 * 
     287 * If the request is an OPTIONS request, the script exits with either access 
     288 * control headers sent, or a 403 response if the origin is not allowed. For 
     289 * other request methods, you will receive a return value. 
     290 * 
    287291 * @since 3.4.0 
    288292 * 
    289293 * @return bool|string Returns the origin URL if headers are sent. Returns false 
     
    291295 */ 
    292296function send_origin_headers() { 
    293297        $origin = get_http_origin(); 
    294         if ( ! is_allowed_http_origin( $origin ) ) 
    295                 return false; 
    296298 
    297         @header( 'Access-Control-Allow-Origin: ' .  $origin ); 
    298         @header( 'Access-Control-Allow-Credentials: true' ); 
     299        if ( is_allowed_http_origin( $origin ) ) { 
     300                @header( 'Access-Control-Allow-Origin: ' .  $origin ); 
     301                @header( 'Access-Control-Allow-Credentials: true' ); 
     302                if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] ) 
     303                        exit; 
     304                return $origin; 
     305        } 
    299306 
    300         return $origin; 
    301 } 
    302  No newline at end of file 
     307        if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] ) { 
     308                status_header( 403 ); 
     309                exit; 
     310        } 
     311 
     312        return false; 
     313}