Get WordPress

Make WordPress Core

Changeset 56096

Timestamp:
06/28/2023 05:37:52 PM (13 months ago)
Author:
kadamwhite
Message:

REST API: Expose current $request object to cors_header filters in WP_REST_SERVER->serve_request().

Allows headers to be more easily set on a per-response basis when more or less security is needed on a specific route.

Props bor0, rachelbaker, spacedmonkey, chaion07, oglekler, SergeyBiryukov.
Fixes #57752.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/rest-api/class-wp-rest-server.php

    r56031 r56096  
    322322         */
    323323        $this->send_header( 'X-Content-Type-Options', 'nosniff' );
    324         $expose_headers = array( 'X-WP-Total', 'X-WP-TotalPages', 'Link' );
    325 
    326         /**
    327          * Filters the list of response headers that are exposed to REST API CORS requests.
    328          *
    329          * @since 5.5.0
    330          *
    331          * @param string[] $expose_headers The list of response headers to expose.
    332          */
    333         $expose_headers = apply_filters( 'rest_exposed_cors_headers', $expose_headers );
    334 
    335         $this->send_header( 'Access-Control-Expose-Headers', implode( ', ', $expose_headers ) );
    336 
    337         $allow_headers = array(
    338             'Authorization',
    339             'X-WP-Nonce',
    340             'Content-Disposition',
    341             'Content-MD5',
    342             'Content-Type',
    343         );
    344 
    345         /**
    346          * Filters the list of request headers that are allowed for REST API CORS requests.
    347          *
    348          * The allowed headers are passed to the browser to specify which
    349          * headers can be passed to the REST API. By default, we allow the
    350          * Content-* headers needed to upload files to the media endpoints.
    351          * As well as the Authorization and Nonce headers for allowing authentication.
    352          *
    353          * @since 5.5.0
    354          *
    355          * @param string[] $allow_headers The list of request headers to allow.
    356          */
    357         $allow_headers = apply_filters( 'rest_allowed_cors_headers', $allow_headers );
    358 
    359         $this->send_header( 'Access-Control-Allow-Headers', implode( ', ', $allow_headers ) );
    360324
    361325        /**
     
    436400            $request->set_method( $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] );
    437401        }
     402
     403
     404
     405
     406
     407
     408
     409
     410
     411
     412
     413
     414
     415
     416
     417
     418
     419
     420
     421
     422
     423
     424
     425
     426
     427
     428
     429
     430
     431
     432
     433
     434
     435
     436
     437
     438
     439
     440
    438441
    439442        $result = $this->check_authentication();

  • trunk/tests/phpunit/tests/rest-api/rest-server.php

    r55822 r56096  
    22012201    }
    22022202
     2203
     2204
     2205
     2206
     2207
     2208
     2209
     2210
     2211
     2212
     2213
     2214
     2215
     2216
     2217
     2218
     2219
     2220
     2221
     2222
     2223
     2224
     2225
     2226
     2227
     2228
     2229
     2230
     2231
     2232
    22032233    public function _validate_as_integer_123( $value, $request, $key ) {
    22042234        if ( ! is_int( $value ) ) {
Note: See TracChangeset for help on using the changeset viewer.