From df5b8dcc82d50dfd94d91592669b3cfe3a0087f0 Mon Sep 17 00:00:00 2001
From: James Nylen <jnylen@gmail.com>
Date: Fri, 19 May 2017 20:27:44 +0000
Subject: [PATCH] REST API: Avoid sending blank `Last-Modified` headers with
 authenticated requests.

This commit adds a new `WP_REST_Server#remove_header` method and uses it to clear the `Last-Modified` header when the "no caching" headers are sent (by default for all authenticated REST API requests).  This matches the behavior of the `nocache_headers` function used in other parts of WordPress.

Previously, the REST API would send an empty `Last-Modified` header in this situation.  Under some server and browser configurations, this causes browsers to cache authenticated REST API requests, which is undesirable.

Props iv3rson76, zinigor, rmccue, jnylen0.
Fixes #40444.

Built from https://develop.svn.wordpress.org/trunk@40805


git-svn-id: http://core.svn.wordpress.org/trunk@40663 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/rest-api/class-wp-rest-server.php | 30 ++++++++++++++++++-
 wp-includes/version.php                       |  2 +-
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/wp-includes/rest-api/class-wp-rest-server.php b/wp-includes/rest-api/class-wp-rest-server.php
index 9d4a5fec05..11b8897a2b 100644
--- a/wp-includes/rest-api/class-wp-rest-server.php
+++ b/wp-includes/rest-api/class-wp-rest-server.php
@@ -252,7 +252,11 @@ class WP_REST_Server {
 		$send_no_cache_headers = apply_filters( 'rest_send_nocache_headers', is_user_logged_in() );
 		if ( $send_no_cache_headers ) {
 			foreach ( wp_get_nocache_headers() as $header => $header_value ) {
-				$this->send_header( $header, $header_value );
+				if ( empty( $header_value ) ) {
+					$this->remove_header( $header );
+				} else {
+					$this->send_header( $header, $header_value );
+				}
 			}
 		}
 
@@ -1262,6 +1266,30 @@ class WP_REST_Server {
 		}
 	}
 
+	/**
+	 * Removes an HTTP header from the current response.
+	 *
+	 * @since 4.8.0
+	 * @access public
+	 *
+	 * @param string $key Header key.
+	 */
+	public function remove_header( $key ) {
+		if ( function_exists( 'header_remove' ) ) {
+			// In PHP 5.3+ there is a way to remove an already set header.
+			header_remove( $key );
+		} else {
+			// In PHP 5.2, send an empty header, but only as a last resort to
+			// override a header already sent.
+			foreach ( headers_list() as $header ) {
+				if ( 0 === stripos( $header, "$key:" ) ) {
+					$this->send_header( $key, '' );
+					break;
+				}
+			}
+		}
+	}
+
 	/**
 	 * Retrieves the raw request entity (body).
 	 *
diff --git a/wp-includes/version.php b/wp-includes/version.php
index f710a38a5a..332dac6e32 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.8-beta1-40804';
+$wp_version = '4.8-beta1-40805';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.