What if allowed_http_origins have empty value?

  • Hi all

    wanna ask, regading the cors, when dive deeper into wordpress, wordpress already define the default allowed http origin

    function get_allowed_http_origins() {
    	$admin_origin = parse_url( admin_url() );
    	$home_origin  = parse_url( home_url() );

    	// @todo Preserve port?
    	$allowed_origins = array_unique(
    		array(
    			'https://' . $admin_origin['host'],
    			'https://' . $admin_origin['host'],
    			'https://' . $home_origin['host'],
    			'https://' . $home_origin['host'],
    		)
    	);

    	/**
    	 * Change the origin types allowed for HTTP requests.
    	 *
    	 * @since 3.4.0
    	 *
    	 * @param string[] $allowed_origins {
    	 *     Array of default allowed HTTP origins.
    	 *
    	 *     @type string $0 Non-secure URL for admin origin.
    	 *     @type string $1 Secure URL for admin origin.
    	 *     @type string $2 Non-secure URL for home origin.
    	 *     @type string $3 Secure URL for home origin.
    	 * }
    	 */
    	return apply_filters( 'allowed_http_origins', $allowed_origins );
    }

    what if, the allowed_http_origins is empty? is there any issue?

    thanks

Viewing 2 replies - 1 through 2 (of 2 total)

  • This can only happen if an incorrect URL or no URL at all is returned by admin_url(). This means that the page URL should not be set. The most likely possibility would be that something (a plugin?) is using one of the hooks (e.g. site_url) incorrectly.

    I don’t think you can say more about a “what if” question in this very general context.

    What is the background to your question?

    Thread Starter anugrahjaya1

    (@anugrahjaya1)

    I did research and here the code for remove default allowed HTTP origins from WordPress

    function remove_allowed_http_origins_defaults($allowed_origins)
    {
        $allowed_origins = [];

        return $allowed_origins;
    }

    add_filter("allowed_http_origins", "remove_allowed_http_origins_defaults", 10, 1);

    The background is want to know how flexible CORS is in WordPress, and regarding security as well. So will there be any issues if the code is implemented? and I also realized, using the same filter hook we can reset the allowed origin as needed.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.