Make WordPress Core

Ticket #45477: 45477.2.diff

File 45477.2.diff, 955 bytes (added by BjornW, 5 years ago)

Using Allowed Origin API to verify an Origin before sending CORS headers

  • src/wp-includes/rest-api.php

     
    527527
    528528/**
    529529 * Sends Cross-Origin Resource Sharing headers with API requests.
    530  *
     530 *
     531 * Note: Any incoming Origin URL is verified against a safe-list of Origins
     532 * using the Allowed Origin API, before these headers are sent.
     533 * {@see 'allowed_http_origins'} filter on how to add an Origin to this list
     534 *
    531535 * @since 4.4.0
    532536 *
    533537 * @param mixed $value Response data.
     
    535539 */
    536540function rest_send_cors_headers( $value ) {
    537541        $origin = get_http_origin();
    538 
    539         if ( $origin ) {
     542        $allowed_origins = get_allowed_http_origins();
     543        if ( $origin && in_array( $origin, $allowed_origins ) ) {
    540544                // Requests from file:// and data: URLs send "Origin: null"
    541545                if ( 'null' !== $origin ) {
    542546                        $origin = esc_url_raw( $origin );