[wp-trac] [WordPress Trac] #40011: Do not add scheme prefix to "null" origin in wp-json's Access-Control-Allow-Origin header
WordPress Trac
noreply at wordpress.org
Thu Mar 2 00:46:10 UTC 2017
#40011: Do not add scheme prefix to "null" origin in wp-json's Access-Control-
Allow-Origin header
--------------------------+-----------------------------
Reporter: vicshih | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: 4.7
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
In some contexts (e.g. privacy-sensitive), the Origin header is "null".
In these cases the REST API responds with an Access-Control-Allow-Origin
header with the value "http://$origin", since the original origin goes
through esc_url_raw() before rendering. The browser then does not
consider these equivalent and aborts the request with:
The 'Access-Control-Allow-Origin' header has a value 'http://null' that is
not equal to the supplied origin. Origin 'null' is therefore not allowed
access.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40011>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list