Make WordPress Core

Ticket #41696: 41696.diff

File 41696.diff, 1.3 KB (added by rmccue, 7 years ago)

Add Content-Disposition and Content-MD5 to allowed headers, and add filter to allow custom headers

  • src/wp-includes/rest-api/class-wp-rest-server.php

    diff --git src/wp-includes/rest-api/class-wp-rest-server.php src/wp-includes/rest-api/class-wp-rest-server.php
    index 2ec8ccde23..d1f27570fa 100644
    class WP_REST_Server { 
    240240                 */
    241241                $this->send_header( 'X-Content-Type-Options', 'nosniff' );
    242242                $this->send_header( 'Access-Control-Expose-Headers', 'X-WP-Total, X-WP-TotalPages' );
    243                 $this->send_header( 'Access-Control-Allow-Headers', 'Authorization, Content-Type' );
     243
     244                $allowed_headers = [
     245                        'Authorization',
     246                        'Content-Disposition',
     247                        'Content-MD5',
     248                        'Content-Type',
     249                ];
     250
     251                /**
     252                 * Filter allowed headers for Cross-Origin requests.
     253                 *
     254                 * The allowed headers are passed to the browser to specify which
     255                 * headers can be passed to the REST API. By default, we allow the
     256                 * Content-* headers needed to upload files to the media endpoints.
     257                 *
     258                 * @since 4.9.0
     259                 *
     260                 * @param array $allowed_headers List of allowed headers to be passed in Access-Control-Allow-Headers
     261                 */
     262                $allowed_headers = apply_filters( 'rest_allowed_cors_headers', $allowed_headers );
     263
     264                $this->send_header( 'Access-Control-Allow-Headers', implode( ', ', $allowed_headers ) );
    244265
    245266                /**
    246267                 * Send nocache headers on authenticated requests.