Ticket #34921: rest-cors-allowed-headers.diff

wp-includes/rest-api/class-wp-rest-server.php

@@ -234 +234 @@
                  */
                 $this->send_header( 'X-Content-Type-Options', 'nosniff' );
                 $this->send_header( 'Access-Control-Expose-Headers', 'X-WP-Total, X-WP-TotalPages' );
-                $this->send_header( 'Access-Control-Allow-Headers', 'Authorization' );
+                $this->send_header( 'Access-Control-Allow-Headers', 'Authorization, X-WP-Nonce' );
 
                 /**
                  * Send nocache headers on authenticated requests.