Skip to content
This repository has been archived by the owner on Feb 23, 2024. It is now read-only.

Don't send headers early in Store API #10241

Merged
merged 1 commit into from
Jul 17, 2023
Merged

Don't send headers early in Store API #10241

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions src/StoreApi/Authentication.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,14 +61,15 @@ public function send_cors_headers( $value, $result, $request ) {
}

// Send standard CORS headers.
header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
header( 'Access-Control-Allow-Credentials: true' );
header( 'Vary: Origin', false );
$server = rest_get_server();
$server->send_header( 'Access-Control-Allow-Methods', 'OPTIONS, GET, POST, PUT, PATCH, DELETE' );
$server->send_header( 'Access-Control-Allow-Credentials', 'true' );
$server->send_header( 'Vary', 'Origin', false );

// Allow preflight requests, certain http origins, and any origin if a cart token is present. Preflight requests
// are allowed because we'll be unable to validate cart token headers at that point.
if ( $this->is_preflight() || $this->has_valid_cart_token( $request ) || is_allowed_http_origin( $origin ) ) {
header( 'Access-Control-Allow-Origin: ' . $origin );
$server->send_header( 'Access-Control-Allow-Origin', $origin );
}

// Exit early during preflight requests. This is so someone cannot access API data by sending an OPTIONS request
Expand Down