[wp-trac] [WordPress Trac] #34921: CORS Preflight Check Broken in API

WordPress Trac noreply at wordpress.org
Tue Dec 8 20:05:14 UTC 2015


#34921: CORS Preflight Check Broken in API
--------------------------+-----------------------------
 Reporter:  tlovett1      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  REST API      |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 In `/wp-includes/rest-api/class-wp-rest-server.php` line 237:

 `$this->send_header( 'Access-Control-Allow-Headers', 'Authorization' );`

 This is breaking CORS preflight checks and resulting in error messages in
 Chrome like this:

 `XMLHttpRequest cannot load https://corsdomain.com/wp-json/... Request
 header field X-WP-Nonce is not allowed by Access-Control-Allow-Headers in
 preflight response.`

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34921>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list