From df2b9b16890c8472b821ea80158cd1c7dc7169f9 Mon Sep 17 00:00:00 2001 From: TimothyBlynJacobs Date: Sun, 12 Jul 2020 19:37:12 +0000 Subject: [PATCH] REST API: Add Content-Disposition, Content-MD5 and X-WP-Nonce as allowed cors headers. The Content-Disposition and Content-MD5 headers allow for easier file uploading across domains by using a File/Blob object directly. The X-WP-Nonce header is allowed for making cross-origin and same-origin authenticated requests consistent. Additionally a filter is introduced, "rest_allowed_cors_headers", to simplify the process of allowing additional request headers. Props rmccue, TimothyBlynJacobs. Fixes #41696. Built from https://develop.svn.wordpress.org/trunk@48452 git-svn-id: http://core.svn.wordpress.org/trunk@48221 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/rest-api/class-wp-rest-server.php | 25 ++++++++++++++++++- wp-includes/version.php | 2 +- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/wp-includes/rest-api/class-wp-rest-server.php b/wp-includes/rest-api/class-wp-rest-server.php index 2121903ff9..fe71d5e317 100644 --- a/wp-includes/rest-api/class-wp-rest-server.php +++ b/wp-includes/rest-api/class-wp-rest-server.php @@ -255,7 +255,30 @@ class WP_REST_Server { $expose_headers = apply_filters( 'rest_exposed_cors_headers', $expose_headers ); $this->send_header( 'Access-Control-Expose-Headers', implode( ', ', $expose_headers ) ); - $this->send_header( 'Access-Control-Allow-Headers', 'Authorization, Content-Type' ); + + $allow_headers = array( + 'Authorization', + 'X-WP-Nonce', + 'Content-Disposition', + 'Content-MD5', + 'Content-Type', + ); + + /** + * Filters the list of request headers that are allowed for CORS requests. + * + * The allowed headers are passed to the browser to specify which + * headers can be passed to the REST API. By default, we allow the + * Content-* headers needed to upload files to the media endpoints. + * As well as the Authorization and Nonce headers for allowing authentication. + * + * @since 5.5.0 + * + * @param string[] $allow_headers The list of headers to allow. + */ + $allow_headers = apply_filters( 'rest_allowed_cors_headers', $allow_headers ); + + $this->send_header( 'Access-Control-Allow-Headers', implode( ', ', $allow_headers ) ); /** * Send nocache headers on authenticated requests. diff --git a/wp-includes/version.php b/wp-includes/version.php index c5c6807484..6db4c9f2b5 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.5-beta1-48451'; +$wp_version = '5.5-beta1-48452'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.