Make WordPress Core

Changeset 40600


Ignore:
Timestamp:
05/10/2017 04:22:01 AM (7 years ago)
Author:
rmccue
Message:

REST API: Allow "Origin: null" from file: URLs.

Browsers send an "Origin: null" header value for file and data URLs, as they can be generated by any document, and their origin is not guaranteed. Since we want to allow any URL to access the API (intentionally disabling the CORS protections), we need to special-case the non-URL "null" value.

Props joehoyle.
Fixes #40011.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api.php

    r40101 r40600  
    526526
    527527    if ( $origin ) {
    528         header( 'Access-Control-Allow-Origin: ' . esc_url_raw( $origin ) );
     528        // Requests from file:// and data: URLs send "Origin: null"
     529        if ( 'null' !== $origin ) {
     530            $origin = esc_url_raw( $origin );
     531        }
     532        header( 'Access-Control-Allow-Origin: ' . $origin );
    529533        header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
    530534        header( 'Access-Control-Allow-Credentials: true' );
Note: See TracChangeset for help on using the changeset viewer.