* @param string $origin_arg Original origin string passed into is_allowed_http_origin function.
return apply_filters( 'allowed_http_origin', $origin, $origin_arg );
* Sends Access-Control-Allow-Origin and related headers if the current request
* is from an allowed origin.
* If the request is an OPTIONS request, the script exits with either access
* control headers sent, or a 403 response if the origin is not allowed. For
* other request methods, you will receive a return value.
* @return string|false Returns the origin URL if headers are sent. Returns false
* if headers are not sent.
function send_origin_headers() {
$origin = get_http_origin();
if ( is_allowed_http_origin( $origin ) ) {
header( 'Access-Control-Allow-Origin: ' . $origin );
header( 'Access-Control-Allow-Credentials: true' );
if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] ) {
if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] ) {
* Validates a URL as safe for use in the HTTP API.
* The only supported protocols are `http` and `https`.
* Examples of URLs that are considered unsafe:
* - `ftp://example.com/caniload.php` - Invalid protocol - only http and https are allowed.
* - `http:///example.com/caniload.php` - Malformed URL.
* - `http://user:pass@example.com/caniload.php` - Login information.
* - `http://example.invalid/caniload.php` - Invalid hostname, as the IP cannot be looked up in DNS.
* Examples of URLs that are considered unsafe by default but can be allowed with filters:
* - `http://192.168.0.1/caniload.php` - IP address from LAN network.
* This can be changed with the {@see 'http_request_host_is_external'} filter.
* - `http://198.143.164.252:81/caniload.php` - By default, only ports 80, 443, and 8080 are allowed.
* This can be changed with the {@see 'http_allowed_safe_ports'} filter.
* @param string $url Request URL.
* @return string|false Returns false if the URL is not safe, or the original URL if it is safe.
function wp_http_validate_url( $url ) {
if ( ! is_string( $url ) || '' === $url || is_numeric( $url ) ) {
$url = wp_kses_bad_protocol( $url, array( 'http', 'https' ) );
if ( ! $url || strtolower( $url ) !== strtolower( $original_url ) ) {
$parsed_url = parse_url( $url );
if ( ! $parsed_url || empty( $parsed_url['host'] ) ) {
if ( isset( $parsed_url['user'] ) || isset( $parsed_url['pass'] ) ) {
if ( false !== strpbrk( $parsed_url['host'], ':#?[]' ) ) {
$parsed_home = parse_url( get_option( 'home' ) );
$same_host = isset( $parsed_home['host'] ) && strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
$host = trim( $parsed_url['host'], '.' );
if ( preg_match( '#^(([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)\.){3}([1-9]?\d|1\d\d|25[0-5]|2[0-4]\d)$#', $host ) ) {
$ip = gethostbyname( $host );
if ( $ip === $host ) { // Error condition for gethostbyname().
$parts = array_map( 'intval', explode( '.', $ip ) );
if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0]
|| ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
|| ( 192 === $parts[0] && 168 === $parts[1] )
// If host appears local, reject unless specifically allowed.
* Checks if HTTP request is external or not.
* Allows to change and allow external requests for the HTTP request.
* @param bool $external Whether HTTP request is external or not.
* @param string $host Host name of the requested URL.
* @param string $url Requested URL.
if ( ! apply_filters( 'http_request_host_is_external', false, $host, $url ) ) {
if ( empty( $parsed_url['port'] ) ) {
$port = $parsed_url['port'];
* Controls the list of ports considered safe in HTTP API.
* Allows to change and allow external requests for the HTTP request.
* @param int[] $allowed_ports Array of integers for valid ports. Default allowed ports
* @param string $host Host name of the requested URL.
* @param string $url Requested URL.
$allowed_ports = apply_filters( 'http_allowed_safe_ports', array( 80, 443, 8080 ), $host, $url );
if ( is_array( $allowed_ports ) && in_array( $port, $allowed_ports, true ) ) {
if ( $parsed_home && $same_host && isset( $parsed_home['port'] ) && $parsed_home['port'] === $port ) {
* Marks allowed redirect hosts safe for HTTP requests as well.
* Attached to the {@see 'http_request_host_is_external'} filter.
* @param bool $is_external
function allowed_http_request_hosts( $is_external, $host ) {
if ( ! $is_external && wp_validate_redirect( 'http://' . $host ) ) {
* Adds any domain in a multisite installation for safe HTTP requests to the
* Attached to the {@see 'http_request_host_is_external'} filter.
* @global wpdb $wpdb WordPress database abstraction object.
* @param bool $is_external
function ms_allowed_http_request_hosts( $is_external, $host ) {
static $queried = array();
if ( get_network()->domain === $host ) {
if ( isset( $queried[ $host ] ) ) {
return $queried[ $host ];
$queried[ $host ] = (bool) $wpdb->get_var( $wpdb->prepare( "SELECT domain FROM $wpdb->blogs WHERE domain = %s LIMIT 1", $host ) );
return $queried[ $host ];
* A wrapper for PHP's parse_url() function that handles consistency in the return values
* Across various PHP versions, schemeless URLs containing a ":" in the query
* are being handled inconsistently. This function works around those differences.
* @since 4.7.0 The `$component` parameter was added for parity with PHP's `parse_url()`.
* @link https://www.php.net/manual/en/function.parse-url.php
* @param string $url The URL to parse.
* @param int $component The specific component to retrieve. Use one of the PHP
* predefined constants to specify which one.
* Defaults to -1 (= return all parts as an array).
* @return mixed False on parse failure; Array of URL components on success;
* When a specific component has been requested: null if the component
* doesn't exist in the given URL; a string or - in the case of
* PHP_URL_PORT - integer when it does. See parse_url()'s return values.
function wp_parse_url( $url, $component = -1 ) {
if ( str_starts_with( $url, '//' ) ) {
$url = 'placeholder:' . $url;
} elseif ( str_starts_with( $url, '/' ) ) {
$url = 'placeholder://placeholder' . $url;
$parts = parse_url( $url );
if ( false === $parts ) {
// Remove the placeholder values.
foreach ( $to_unset as $key ) {
return _get_component_from_parsed_url_array( $parts, $component );
* Retrieves a specific component from a parsed URL array.
* @link https://www.php.net/manual/en/function.parse-url.php
* @param array|false $url_parts The parsed URL. Can be false if the URL failed to parse.
* @param int $component The specific component to retrieve. Use one of the PHP
* predefined constants to specify which one.
* Defaults to -1 (= return all parts as an array).
* @return mixed False on parse failure; Array of URL components on success;
* When a specific component has been requested: null if the component
* doesn't exist in the given URL; a string or - in the case of
* PHP_URL_PORT - integer when it does. See parse_url()'s return values.
function _get_component_from_parsed_url_array( $url_parts, $component = -1 ) {
if ( -1 === $component ) {
$key = _wp_translate_php_url_constant_to_key( $component );
if ( false !== $key && is_array( $url_parts ) && isset( $url_parts[ $key ] ) ) {
return $url_parts[ $key ];
* Translates a PHP_URL_* constant to the named array keys PHP uses.
* @link https://www.php.net/manual/en/url.constants.php
* @param int $constant PHP_URL_* constant.
* @return string|false The named key or false.
function _wp_translate_php_url_constant_to_key( $constant ) {
PHP_URL_SCHEME => 'scheme',
PHP_URL_QUERY => 'query',
PHP_URL_FRAGMENT => 'fragment',
if ( isset( $translation[ $constant ] ) ) {
return $translation[ $constant ];
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
