REST API: Allow "Origin: null" from file: URLs.

Browsers send an "Origin: null" header value for file and data URLs, as they can be generated by any document, and their origin is not guaranteed. Since we want to allow any URL to access the API (intentionally disabling the CORS protections), we need to special-case the non-URL "null" value.

Props joehoyle.
Fixes #40011.

Built from https://develop.svn.wordpress.org/trunk@40600


git-svn-id: http://core.svn.wordpress.org/trunk@40470 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Ryan McCue 2017-05-10 04:22:43 +00:00
parent 19ed296008
commit 027e8d9218
2 changed files with 6 additions and 2 deletions

View File

@ -525,7 +525,11 @@ function rest_send_cors_headers( $value ) {
$origin = get_http_origin(); $origin = get_http_origin();
if ( $origin ) { if ( $origin ) {
header( 'Access-Control-Allow-Origin: ' . esc_url_raw( $origin ) ); // Requests from file:// and data: URLs send "Origin: null"
if ( 'null' !== $origin ) {
$origin = esc_url_raw( $origin );
}
header( 'Access-Control-Allow-Origin: ' . $origin );
header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' ); header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
header( 'Access-Control-Allow-Credentials: true' ); header( 'Access-Control-Allow-Credentials: true' );
header( 'Vary: Origin' ); header( 'Vary: Origin' );

View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.8-alpha-40599'; $wp_version = '4.8-alpha-40600';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.