REST API: Add "Link" to the list of exposed cors headers.

Currently, only the X-WP-Total and X-WP-TotalPages headers are exposed which means that clients have to manually construct the URL to implement pagination instead of using the "prev" and "next" Links.

Additionally, a filter "rest_exposed_cors_headers" is introduced to make it simpler for plugins to expose additional headers.

Props Toro_Unit, ayeshrajans.
Fixes #50369.

Built from https://develop.svn.wordpress.org/trunk@48112


git-svn-id: http://core.svn.wordpress.org/trunk@47881 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/rest-api/class-wp-rest-server.php

@@ -243,7 +243,18 @@ class WP_REST_Server {
 		 * https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
 		 */
 		$this->send_header( 'X-Content-Type-Options', 'nosniff' );
-		$this->send_header( 'Access-Control-Expose-Headers', 'X-WP-Total, X-WP-TotalPages' );
+		$expose_headers = array( 'X-WP-Total', 'X-WP-TotalPages', 'Link' );
+
+		/**
+		 * Filters the list of response headers that are exposed to CORS requests.
+		 *
+		 * @since 5.5.0
+		 *
+		 * @param string[] $expose_headers The list of headers to expose.
+		 */
+		$expose_headers = apply_filters( 'rest_exposed_cors_headers', $expose_headers );
+
+		$this->send_header( 'Access-Control-Expose-Headers', implode( ', ', $expose_headers ) );
 		$this->send_header( 'Access-Control-Allow-Headers', 'Authorization, Content-Type' );
 
 		/**

wp-includes/version.php

@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.5-alpha-48111';
+$wp_version = '5.5-alpha-48112';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.