You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add README section explaining how to enable auto-discovery over CORS (#307)
As noted in #303, our documentation does not cover how to enable the
REST API to be discovered with a cross-origin request. This PR adds
a new section to the readme to explain the process.
Fixes#303
Copy file name to clipboardExpand all lines: README.md
+22-2Lines changed: 22 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -150,6 +150,26 @@ apiPromise.then(function( site ) {
150
150
})
151
151
```
152
152
153
+
#### Cross-Origin Auto-Discovery
154
+
155
+
When attempting auto-discovery against a remote server in a client-side environment, discovery will fail unless the server is configured for [Cross-Origin Resource Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS) (CORS). CORS can be enabled by specifying a set of `Access-Control-` headers in your PHP code to instruct browsers that requests from remote clients are accepted; these headers also let you control what specific methods and links are exposed to those remote clients.
156
+
157
+
The [WP-REST-Allow-All-Cors](https://github.com/ahmadawais/WP-REST-Allow-All-CORS) plugin will permit CORS requests for all API resources. Auto-discovery will still fail when using this plugin, however, because discovery depends on the presence of a `Link` header on WordPress pages outside of the root REST API endpoint.
158
+
159
+
To permit your site to be auto-discovered by client-side REST API clients, add a filter to `send_headers` to explicitly whitelist the `Link` header for `HEAD` requests:
160
+
161
+
```php
162
+
add_action( 'send_headers', function() {
163
+
if ( ! did_action('rest_api_init') && $_SERVER['REQUEST_METHOD'] == 'HEAD' ) {
164
+
header( 'Access-Control-Allow-Origin: *' );
165
+
header( 'Access-Control-Expose-Headers: Link' );
166
+
header( 'Access-Control-Allow-Methods: HEAD' );
167
+
}
168
+
} );
169
+
```
170
+
171
+
Enable CORS at your own discretion. Restricting `Access-Control-Allow-Origin` to a specific origin domain is often preferable to allowing all origins via `*`.
172
+
153
173
### Bootstrapping
154
174
155
175
If you are building an application designed to interface with a specific site, it is possible to sidestep the additional asynchronous HTTP calls that are needed to bootstrap the client through auto-discovery. You can download the root API response, *i.e.* the JSON response when you hit the root endpoint such as `your-site.com/wp-json`, and save that JSON file locally; then, in
@@ -416,8 +436,8 @@ It is also possible to add your own slug-oriented query parameters to a site tha
416
436
417
437
Just as `.categories()` and `.tags()` can be used to return posts that are associated with one or more taxonomies, two methods exist to exclude posts by their term associations.
418
438
419
-
-`.excludeCategories()` is a shortcut for `.param( 'categories_exclude', ... )` which excludes results associated with the provided category term IDs
420
-
-`.excludeTags()` is a shortcut for `.param( 'tags_exclude', ... )` which excludes results associated with the provided tag term IDs
439
+
-`.excludeCategories()` is a shortcut for `.param( 'categories_exclude', ... )` which excludes results associated with the provided category term IDs
440
+
-`.excludeTags()` is a shortcut for `.param( 'tags_exclude', ... )` which excludes results associated with the provided tag term IDs
0 commit comments