WordPress.org

Make WordPress Core

Changeset 48452


Ignore:
Timestamp:
07/12/2020 07:35:55 PM (4 months ago)
Author:
TimothyBlynJacobs
Message:

REST API: Add Content-Disposition, Content-MD5 and X-WP-Nonce as allowed cors headers.

The Content-Disposition and Content-MD5 headers allow for easier file uploading across domains by using a File/Blob object directly. The X-WP-Nonce header is allowed for making cross-origin and same-origin authenticated requests consistent.

Additionally a filter is introduced, "rest_allowed_cors_headers", to simplify the process of allowing additional request headers.

Props rmccue, TimothyBlynJacobs.
Fixes #41696.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/class-wp-rest-server.php

    r48198 r48452  
    256256
    257257        $this->send_header( 'Access-Control-Expose-Headers', implode( ', ', $expose_headers ) );
    258         $this->send_header( 'Access-Control-Allow-Headers', 'Authorization, Content-Type' );
     258
     259        $allow_headers = array(
     260            'Authorization',
     261            'X-WP-Nonce',
     262            'Content-Disposition',
     263            'Content-MD5',
     264            'Content-Type',
     265        );
     266
     267        /**
     268         * Filters the list of request headers that are allowed for CORS requests.
     269         *
     270         * The allowed headers are passed to the browser to specify which
     271         * headers can be passed to the REST API. By default, we allow the
     272         * Content-* headers needed to upload files to the media endpoints.
     273         * As well as the Authorization and Nonce headers for allowing authentication.
     274         *
     275         * @since 5.5.0
     276         *
     277         * @param string[] $allow_headers The list of headers to allow.
     278         */
     279        $allow_headers = apply_filters( 'rest_allowed_cors_headers', $allow_headers );
     280
     281        $this->send_header( 'Access-Control-Allow-Headers', implode( ', ', $allow_headers ) );
    259282
    260283        /**
Note: See TracChangeset for help on using the changeset viewer.