From 027e8d92186954548f62f53d5dfb58afa79f7717 Mon Sep 17 00:00:00 2001 From: Ryan McCue Date: Wed, 10 May 2017 04:22:43 +0000 Subject: [PATCH] REST API: Allow "Origin: null" from file: URLs. Browsers send an "Origin: null" header value for file and data URLs, as they can be generated by any document, and their origin is not guaranteed. Since we want to allow any URL to access the API (intentionally disabling the CORS protections), we need to special-case the non-URL "null" value. Props joehoyle. Fixes #40011. Built from https://develop.svn.wordpress.org/trunk@40600 git-svn-id: http://core.svn.wordpress.org/trunk@40470 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/rest-api.php | 6 +++++- wp-includes/version.php | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/wp-includes/rest-api.php b/wp-includes/rest-api.php index e6cdc3a959..ec7c50d27b 100644 --- a/wp-includes/rest-api.php +++ b/wp-includes/rest-api.php @@ -525,7 +525,11 @@ function rest_send_cors_headers( $value ) { $origin = get_http_origin(); if ( $origin ) { - header( 'Access-Control-Allow-Origin: ' . esc_url_raw( $origin ) ); + // Requests from file:// and data: URLs send "Origin: null" + if ( 'null' !== $origin ) { + $origin = esc_url_raw( $origin ); + } + header( 'Access-Control-Allow-Origin: ' . $origin ); header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' ); header( 'Access-Control-Allow-Credentials: true' ); header( 'Vary: Origin' ); diff --git a/wp-includes/version.php b/wp-includes/version.php index ed87ee68b9..e9dce89d8e 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.8-alpha-40599'; +$wp_version = '4.8-alpha-40600'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.