oyvindwe

My main goal is to be able to restrict Access-Control-Allow-Origin for /wp-json and keep the other headers as is. This requires a plugin, and this one looks very nice, so I would be very happy to use it instead of writing my own.

Without this installed plugin, I get this header (as posted above) for /wp-json:

access-control-allow-methods: OPTIONS, GET, POST, PUT, PATCH, DELETE

I would like to retain the value. I actually don’t know if PATCH is in use or not, I’m not that familiar with the WordPress REST API.

It is only available on the Subversion repository.

“No support for PATCH.”

At this moment, most users of this plugin are utilizing it for GET, POST, and OPTIONS methods. If any 5 user, like yourself, opens or adds a thread to enable the PATCH method, I will include that in the next update.

OK – I tried to add “PATCH” to both the Javascript and PHP files, but I wasn’t able to make it appear in the admin UI.

“Commas should be followed by a space (” “).”

If you could explain or add a relevant resource link discussing the pros and cons of this, I would be grateful to you.

Space is optional according to the spec, but improves readability. The plugin actually uses spaces in Access-Control-Allow-Headers

Access-Control-Allow-Methods = #method
Access-Control-Allow-Headers = #field-name

https://fetch.spec.whatwg.org/#http-new-header-syntax

#rule
A construct “#” is defined, similar to “*”, for defining lists of elements. The full form is “<n>#<m>element” indicating at least <n> and at most <m> elements, each separated by one or more commas (“,”) and OPTIONAL linear white space (LWS).

https://datatracker.ietf.org/doc/html/rfc2616#section-2.1

I can try to make a PR. Is there a git repo for the plugin code, or is it only available on the Subversion repo?

Thank you very much! I didn’t check the RFC, only MDN, which claims that the only allowed value is true (case sensitive): https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials#directives