Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#37994 closed defect (bug) (fixed)

Preflight CORS check fails because of missing "Access-Control-Allow-Headers: Content-Type"

Reported by: nuvopoint's profile nuvoPoint Owned by: pento's profile pento
Milestone: 4.7 Priority: normal
Severity: normal Version: 4.4
Component: REST API Keywords: has-patch
Focuses: Cc:


Working on a single page app in Angular2 (Ionic 2), and trying to talk to the WP REST API V2.

GETs work fine, but when I try to POST, the preflight check fails because of a missing Access-Control-Allow-Headers returned from WP REST.

The preflight check checks for Access-Control-Request-Headers: Authorization, Content-Type with an OPTIONS call, and WP REST replies:
Access-Control-Allow-Headers: Authorization

The missing "Content-Type" from the reply, blocks the following post-flight request, and execution stops.

I can easily solve this problem with some custom headers via PHP, but I simply request that you add official support for this. Would be a lot less hassle for a lot of Javascript based apps.

Basically the only thing you need to add is "Content-Type" to line 237 of /wp-includes/rest-api/class-wp-rest-server.php.

Anyway, here's a workaround:

add_filter('rest_post_dispatch', function (\WP_REST_Response $result) {
            if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
                $result->header('Access-Control-Allow-Headers', 'Authorization, Content-Type', true);
            return $result;

Still, would prefer official support for it.

Attachments (1)

37994.diff (668 bytes) - added by jnylen0 8 years ago.

Download all attachments as: .zip

Change History (8)

This ticket was mentioned in Slack in #core-restapi by jnylen. View the logs.

8 years ago

#2 @jnylen0
8 years ago

We're currently patching this on - otherwise POST/PUT requests with Content-Type: application/json fail because they are not "simple requests" according to the CORS rules. We should fix this in core instead of making people patch around it.

8 years ago

#3 @jnylen0
8 years ago

  • Keywords has-patch added
  • Version 4.6.1 deleted

#4 @jnylen0
8 years ago

  • Version set to trunk

This ticket was mentioned in Slack in #core-restapi by jnylen. View the logs.

8 years ago

#6 @pento
8 years ago

  • Milestone changed from Awaiting Review to 4.7
  • Owner set to pento
  • Status changed from new to assigned
  • Version changed from trunk to 4.4

#7 @pento
8 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 39044:

REST API: Allow Content-Type on CORS requests.

This allows POST requests with a wider variety of Content-Type' headers - Content-Type: application/json`, for example.

Props jnylen0.
Fixes #37994.

Note: See TracTickets for help on using tickets.