send_origin_headers()

Send Access-Control-Allow-Origin and related headers if the current request is from an allowed origin.

Description

If the request is an OPTIONS request, the script exits with either access control headers sent, or a 403 response if the origin is not allowed. For other request methods, you will receive a return value.

Return

(string|false) Returns the origin URL if headers are sent. Returns false if headers are not sent.

Source

File: wp-includes/http.php

function send_origin_headers() {
	$origin = get_http_origin();

	if ( is_allowed_http_origin( $origin ) ) {
		header( 'Access-Control-Allow-Origin: ' . $origin );
		header( 'Access-Control-Allow-Credentials: true' );
		if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] ) {
			exit;
		}
		return $origin;
	}

	if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] ) {
		status_header( 403 );
		exit;
	}

	return false;
}

Uses

Uses	Description
wp-includes/functions.php: status_header()	Set HTTP status header.
wp-includes/http.php: is_allowed_http_origin()	Determines if the HTTP origin is an authorized one.
wp-includes/http.php: get_http_origin()	Get the HTTP Origin of the current request.

Used By

Used By	Description
wp-includes/class-wp-customize-manager.php: WP_Customize_Manager::setup_theme()	Start preview and customize theme.

Changelog

Version	Description
3.4.0	Introduced.

© 2003–2021 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/send_origin_headers