[wp-trac] [WordPress Trac] #45477: Disable REST API reflection of request Origin header in response Access-Control-Allow-Origin
WordPress Trac
noreply at wordpress.org
Tue Dec 4 20:54:09 UTC 2018
#45477: Disable REST API reflection of request Origin header in response Access-
Control-Allow-Origin
-----------------------------------+------------------------------
Reporter: BjornW | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version:
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion | Focuses:
-----------------------------------+------------------------------
Changes (by BjornW):
* keywords: => has-patch 2nd-opinion
Comment:
This [https://core.trac.wordpress.org/attachment/ticket/45477/45477.2.diff
patch] uses the Allow Origin API to check if an incoming Origin URL is
part of the allowed Origins safe-list. By default, the only Origin URLs
allowed are the current host (both http and https).
Adding an Origin to the safe-list can be done using the
[https://core.trac.wordpress.org/browser/trunk/src/wp-
includes/http.php#L449 'allowed_http_origins' filter].
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45477#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list