diff --git src/wp-includes/rest-api/class-wp-rest-server.php src/wp-includes/rest-api/class-wp-rest-server.php
index 2ec8ccde23..d1f27570fa 100644
|
|
class WP_REST_Server { |
240 | 240 | */ |
241 | 241 | $this->send_header( 'X-Content-Type-Options', 'nosniff' ); |
242 | 242 | $this->send_header( 'Access-Control-Expose-Headers', 'X-WP-Total, X-WP-TotalPages' ); |
243 | | $this->send_header( 'Access-Control-Allow-Headers', 'Authorization, Content-Type' ); |
| 243 | |
| 244 | $allowed_headers = [ |
| 245 | 'Authorization', |
| 246 | 'Content-Disposition', |
| 247 | 'Content-MD5', |
| 248 | 'Content-Type', |
| 249 | ]; |
| 250 | |
| 251 | /** |
| 252 | * Filter allowed headers for Cross-Origin requests. |
| 253 | * |
| 254 | * The allowed headers are passed to the browser to specify which |
| 255 | * headers can be passed to the REST API. By default, we allow the |
| 256 | * Content-* headers needed to upload files to the media endpoints. |
| 257 | * |
| 258 | * @since 4.9.0 |
| 259 | * |
| 260 | * @param array $allowed_headers List of allowed headers to be passed in Access-Control-Allow-Headers |
| 261 | */ |
| 262 | $allowed_headers = apply_filters( 'rest_allowed_cors_headers', $allowed_headers ); |
| 263 | |
| 264 | $this->send_header( 'Access-Control-Allow-Headers', implode( ', ', $allowed_headers ) ); |
244 | 265 | |
245 | 266 | /** |
246 | 267 | * Send nocache headers on authenticated requests. |