From c29144da45907eab88f400e4ee92f9153fd3a9ed Mon Sep 17 00:00:00 2001 From: Seghir Nadir Date: Mon, 17 Jul 2023 16:16:02 +0100 Subject: [PATCH] Don't send headers early in Store API (#10241) --- src/StoreApi/Authentication.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/StoreApi/Authentication.php b/src/StoreApi/Authentication.php index a6e5c3e4ace..463a82d23bb 100644 --- a/src/StoreApi/Authentication.php +++ b/src/StoreApi/Authentication.php @@ -61,14 +61,15 @@ public function send_cors_headers( $value, $result, $request ) { } // Send standard CORS headers. - header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' ); - header( 'Access-Control-Allow-Credentials: true' ); - header( 'Vary: Origin', false ); + $server = rest_get_server(); + $server->send_header( 'Access-Control-Allow-Methods', 'OPTIONS, GET, POST, PUT, PATCH, DELETE' ); + $server->send_header( 'Access-Control-Allow-Credentials', 'true' ); + $server->send_header( 'Vary', 'Origin', false ); // Allow preflight requests, certain http origins, and any origin if a cart token is present. Preflight requests // are allowed because we'll be unable to validate cart token headers at that point. if ( $this->is_preflight() || $this->has_valid_cart_token( $request ) || is_allowed_http_origin( $origin ) ) { - header( 'Access-Control-Allow-Origin: ' . $origin ); + $server->send_header( 'Access-Control-Allow-Origin', $origin ); } // Exit early during preflight requests. This is so someone cannot access API data by sending an OPTIONS request