REST API: Allow "Origin: null" from file: URLs.

Browsers send an "Origin: null" header value for file and data URLs, as they can be generated by any document, and their origin is not guaranteed. Since we want to allow any URL to access the API (intentionally disabling the CORS protections), we need to special-case the non-URL "null" value.

Props joehoyle.
Fixes #40011.

Built from https://develop.svn.wordpress.org/trunk@40600


git-svn-id: http://core.svn.wordpress.org/trunk@40470 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/rest-api.php

@@ -525,7 +525,11 @@ function rest_send_cors_headers( $value ) {
 	$origin = get_http_origin();
 
 	if ( $origin ) {
-		header( 'Access-Control-Allow-Origin: ' . esc_url_raw( $origin ) );
+		// Requests from file:// and data: URLs send "Origin: null"
+		if ( 'null' !== $origin ) {
+			$origin = esc_url_raw( $origin );
+		}
+		header( 'Access-Control-Allow-Origin: ' . $origin );
 		header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
 		header( 'Access-Control-Allow-Credentials: true' );
 		header( 'Vary: Origin' );

wp-includes/version.php

@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.8-alpha-40599';
+$wp_version = '4.8-alpha-40600';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.