Skip to content
This repository has been archived by the owner on Feb 23, 2024. It is now read-only.

Commit

Permalink
Don't send headers early in Store API (#10241)
Browse files Browse the repository at this point in the history
  • Loading branch information
@senadir @opr
senadir authored and opr committed Jul 17, 2023
1 parent 5935420 commit c29144d
Showing 1 changed file with 5 additions and 4 deletions.
9 changes: 5 additions & 4 deletions src/StoreApi/Authentication.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,14 +61,15 @@ public function send_cors_headers( $value, $result, $request ) {
}

// Send standard CORS headers.
header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
header( 'Access-Control-Allow-Credentials: true' );
header( 'Vary: Origin', false );
$server = rest_get_server();
$server->send_header( 'Access-Control-Allow-Methods', 'OPTIONS, GET, POST, PUT, PATCH, DELETE' );
$server->send_header( 'Access-Control-Allow-Credentials', 'true' );
$server->send_header( 'Vary', 'Origin', false );

// Allow preflight requests, certain http origins, and any origin if a cart token is present. Preflight requests
// are allowed because we'll be unable to validate cart token headers at that point.
if ( $this->is_preflight() || $this->has_valid_cart_token( $request ) || is_allowed_http_origin( $origin ) ) {
header( 'Access-Control-Allow-Origin: ' . $origin );
$server->send_header( 'Access-Control-Allow-Origin', $origin );
}

// Exit early during preflight requests. This is so someone cannot access API data by sending an OPTIONS request
Expand Down

0 comments on commit c29144d

Please sign in to comment.