WordPress.org
Get WordPress

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#34921 closed defect (bug) (wontfix)

CORS Preflight Check Broken in API

Reported by: tlovett1's profile tlovett1 Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.6
Component: REST API Keywords: has-patch
Focuses: Cc:

Description

In /wp-includes/rest-api/class-wp-rest-server.php line 237:

$this->send_header( 'Access-Control-Allow-Headers', 'Authorization' );

This is breaking CORS preflight checks and resulting in error messages in Chrome like this:

XMLHttpRequest cannot load https://corsdomain.com/wp-json/... Request header field X-WP-Nonce is not allowed by Access-Control-Allow-Headers in preflight response.

Attachments (1)

rest-cors-allowed-headers.diff (654 bytes) - added by tlovett1 7 years ago.

Download all attachments as: .zip

Change History (6)

This ticket was mentioned in Slack in #core by helen. View the logs.
7 years ago

@tlovett1
7 years ago

#2 @tlovett1
7 years ago

  • Keywords has-patch added

This ticket was mentioned in Slack in #core by rachelbaker. View the logs.
7 years ago

#4 @rachelbaker
7 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Per @rmccue that merged the related code here: https://github.com/WP-API/WP-API/pull/1529

You shouldn't be able to send the nonce from a different origin so far as I can tell
Cookie authentication is intentionally limited by the nonce to the current site.

If you really need it, you can send multiple Access-Control-Allow-Headers headers, so hook into an early action (like rest_send_nocache_headers) and add extra ones

#5 @rickharrison
7 years ago

I am trying to hit my API from a javascript app and this hardcoded Access-Control-Allow-Headers is getting in the way. How do you customize this?

Note: See TracTickets for help on using tickets.