Sorry, I might be wrong to understand your question.
but those just state, that if you want to allow only a specific origin then you’ll have to unhook the default cors header function then add your custom cors header function in the same hook.
Here is some ref. I found for example
https://gist.github.com/miya0001/d6508b9ba52df5aedc78fca186ff6088
https://github.com/WP-API/WP-API/issues/2844#issuecomment-275930957
https://legacy.joshpress.net/access-control-headers-for-the-wordpress-rest-api/
https://developer.ww.wp.xz.cn/reference/functions/rest_send_cors_headers/
Hi Vijay,
Really my question now is in two parts – if I use
remove_filter( 'rest_pre_serve_request', 'rest_send_cors_headers' );
add_filter( 'rest_pre_serve_request', function( $value ) {
Then it looks lik ethat applies to all WP REST API end points. Is that right – as I only want it to apply to my custom end point.
This article https://legacy.joshpress.net/access-control-headers-for-the-wordpress-rest-api/
says
That said, keep in mind that the class WP_REST_Response, which should be used for all responses, also gives you the ability to add headers. Any headers unique to a request should be set there.
But now i’m thinking that setting headers is not the right approach anyway and I should uses nonces from the from end to back end to restrict access to the end point – what do you think?
You can go with nonce or maybe using $request->get_route() you can compare the route then apply custom headers. but you’ll have to remove the existing hook then in the new hook functions, will have to take 3 args then compare the route, then if matched then set your new headers otherwise set the original headers again from the existing function that we unhooked before.
