Handle pre-flighted OPTIONS requests in send_origin_headers(). Props nacin. fixes #21024

git-svn-id: http://core.svn.wordpress.org/trunk@21988 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-09-24 21:39:04 +00:00 · 2012-09-24 21:39:04 +00:00 · ff07308717
parent a0b9992a84
commit ff07308717
1 changed files with 18 additions and 6 deletions
--- a/wp-includes/http.php
+++ b/wp-includes/http.php
@ -284,6 +284,10 @@ function is_allowed_http_origin( $origin = null ) {
 * Send Access-Control-Allow-Origin and related headers if the current request
 * is from an allowed origin.
 *
+ * If the request is an OPTIONS request, the script exits with either access
+ * control headers sent, or a 403 response if the origin is not allowed. For
+ * other request methods, you will receive a return value.
+ *
 * @since 3.4.0
 *
 * @return bool|string Returns the origin URL if headers are sent. Returns false
@ -291,11 +295,19 @@ function is_allowed_http_origin( $origin = null ) {
 */
 function send_origin_headers() {
 	$origin = get_http_origin();
-	if ( ! is_allowed_http_origin( $origin ) )
-		return false;

+	if ( is_allowed_http_origin( $origin ) ) {
 		@header( 'Access-Control-Allow-Origin: ' .  $origin );
 		@header( 'Access-Control-Allow-Credentials: true' );
-
+		if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] )
+			exit;
 		return $origin;
+	}
+
+	if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] ) {
+		status_header( 403 );
+		exit;
+	}
+
+	return false;
 }