Automattic\WooCommerce\StoreApi

Authentication::send_cors_headers()publicWC 1.0

Add CORS headers to a response object.

These checks prevent access to the Store API from non-allowed origins. By default, the WordPress REST API allows access from any origin. Because some Store API routes return PII, we need to add our own CORS headers.

Allowed origins can be changed using the WordPress allowed_http_origins allowed_http_origin if access needs to be granted to other domains.

Users of valid Cart Tokens are also allowed access from any origin.

Метод класса: Authentication{}

Хуков нет.

Возвращает

true|false.

Использование

$Authentication = new Authentication();
$Authentication->send_cors_headers( $value, $server, $request );
$value(true|false) (обязательный)
Whether the request has already been served.
$server(\WP_REST_Server) (обязательный)
The REST server instance.
$request(\WP_REST_Request) (обязательный)
The REST request instance.

Код Authentication::send_cors_headers() WC 9.8.5

woocommerce/src/StoreApi/Authentication.php 
public function send_cors_headers( $value, $server, $request ) {
	$origin = get_http_origin();

	if ( 'null' !== $origin ) {
		$origin = esc_url_raw( $origin );
	}

	// Send standard CORS headers.
	$server = rest_get_server();
	$server->send_header( 'Access-Control-Allow-Methods', 'OPTIONS, GET, POST, PUT, PATCH, DELETE' );
	$server->send_header( 'Access-Control-Allow-Credentials', 'true' );
	$server->send_header( 'Vary', 'Origin', false );

	// Allow preflight requests, certain http origins, and any origin if a cart token is present. Preflight requests
	// are allowed because we'll be unable to validate cart token headers at that point.
	if ( $this->is_preflight() || JsonWebToken::validate( $this->get_cart_token( $request ), $this->get_cart_token_secret() ) || is_allowed_http_origin( $origin ) ) {
		$server->send_header( 'Access-Control-Allow-Origin', $origin );
	}

	// Exit early during preflight requests. This is so someone cannot access API data by sending an OPTIONS request
	// with preflight headers and a _GET property to override the method.
	if ( $this->is_preflight() ) {
		exit;
	}

	return $value;
}