Dev Kabir

@germanoalves @mehbubrashid I just wanted to let you know that a new update has been released.

I hope this time it should work. To verify if your site has CORS enabled, you can perform a test here

Dear @mehbubrashid,

I hope this message finds you well! I wanted to inform you about the latest update for the enable-cors plugin. As per your second suggestion, I have made a significant change to the origin field. Specifically, I have eliminated the URL validation requirement, providing you with a smoother experience. If you have any further suggestions or need any assistance, please feel free to reach out. I value your feedback and are here to support you.

I am closing this Thread

@germanoalves It appears that you are using WordPress version 6.2.2.

Could you please visit the /wp-json page?

If it is working, then the issue may be with my plugin and I will update it as soon as possible.

If the page is not working,

1. please go to /wp-admin/options-permalink.php and check your Permalink structure.
2. If it is set to Post name, change it to another option, save the change,
3. then select Post name again and save the change.
4. After doing this, try saving the settings again.
5. I hope this helps.

@mehbubrashid for your second suggestion,

When you set the “Access-Control-Allow-Origin” header to “*”, it means that any website can send a request to your WordPress site and access the server’s response. This can be a potential security risk, especially if you have implemented authentication or authorization measures that rely on browser-provided elements like cookies or sessions.

The risk is higher when you allow resource sharing for all resources on your site, rather than only selected ones. However, it’s important to understand that using “Access-Control-Allow-Origin: *” is generally safe for most resources, unless those resources contain private data protected by means other than standard credentials like cookies, HTTP basic authentication, or TLS client certificates.

Considering the fact that WordPress websites are often targeted by brute force attacks, it may be advisable for WordPress users and developers to avoid allowing users to choose the “*” origin option.

@mehbubrashid Thank you for bringing these issues to my attention. I understand the concerns you have regarding the plugin’s behavior and the limitations it imposes. I apologize for any inconvenience caused.

Regarding the first issue with the incorrect URL, I agree that it is essential for the plugin to support different hosting configurations, including subfolders. I will investigate the issue and work on a fix that allows the plugin to handle requests properly in various hosting environments. Please note that resolving this issue may require some development work, so I appreciate your patience.

Regarding the second issue with the website URL field, I understand your point about the use of “*” to indicate all URLs for access control headers. While it is true that “*” is a valid wildcard character for such headers, the plugin’s validation may have stricter requirements to ensure proper functionality. However, I acknowledge that the default setting of “*” within the plugin itself creates inconsistency. I will review this behavior and consider adjusting the validation to align with common practices while maintaining security measures.

Thank you for bringing these matters to my attention. I assure you that I will prioritize addressing these issues and provide a solution that improves the plugin’s compatibility and usability. If you have any further questions or suggestions, please feel free to let me know.

• This reply was modified 2 years, 11 months ago by Dev Kabir.