From ff073087175910a1a54dc4a344d0c0d262ea6cb5 Mon Sep 17 00:00:00 2001
From: Ryan Boren <ryan@boren.nu>
Date: Mon, 24 Sep 2012 21:39:04 +0000
Subject: [PATCH] Handle pre-flighted OPTIONS requests in
 send_origin_headers(). Props nacin. fixes #21024

git-svn-id: http://core.svn.wordpress.org/trunk@21988 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/http.php | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/wp-includes/http.php b/wp-includes/http.php
index 0fcca76241..56e4f9ff20 100644
--- a/wp-includes/http.php
+++ b/wp-includes/http.php
@@ -284,6 +284,10 @@ function is_allowed_http_origin( $origin = null ) {
  * Send Access-Control-Allow-Origin and related headers if the current request
  * is from an allowed origin.
  *
+ * If the request is an OPTIONS request, the script exits with either access
+ * control headers sent, or a 403 response if the origin is not allowed. For
+ * other request methods, you will receive a return value.
+ *
  * @since 3.4.0
  *
  * @return bool|string Returns the origin URL if headers are sent. Returns false
@@ -291,11 +295,19 @@ function is_allowed_http_origin( $origin = null ) {
  */
 function send_origin_headers() {
 	$origin = get_http_origin();
-	if ( ! is_allowed_http_origin( $origin ) )
-		return false;
 
-	@header( 'Access-Control-Allow-Origin: ' .  $origin );
-	@header( 'Access-Control-Allow-Credentials: true' );
+	if ( is_allowed_http_origin( $origin ) ) {
+		@header( 'Access-Control-Allow-Origin: ' .  $origin );
+		@header( 'Access-Control-Allow-Credentials: true' );
+		if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] )
+			exit;
+		return $origin;
+	}
 
-	return $origin;
-}
\ No newline at end of file
+	if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] ) {
+		status_header( 403 );
+		exit;
+	}
+
+	return false;
+}