Skip to main content
For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. Only in a local environment does the REST API simulate CORS enabled.
If you are getting a warning about the cross origin headers then you will need to set it up.
If you simply want to enable but don’t want to add any code snippets, you can simply install CoCart CORS Support plugin.

Enable CORS

<?php
add_filter( 'cocart_disable_all_cors', function() { return false; });
For added security when you go into production. Set the Access-Control-Allow-Origin header to be more specific.

Single Domain Access

Access via a single domain access should be enough. 
<?php
add_filter( 'cocart_allow_origin', function() { return 'https://example-store.com'; });

Multiple Domain Access

You can support many domains access using the cocart_allowed_http_origins filter.
Do not use cocart_allow_origin filter at the same time as it will break.
ParameterTypeDescription
$allowed_originsstring[]Array of default allowed HTTP origins.
<?php
add_filter( 'cocart_allowed_http_origins', function( $allowed_origins ) {
    $allowed_origins[] = 'https://example-store.com'; // Replace with your origin.

    return $allowed_origins;
} );

Allowed Ports

You can change the list of ports considered safe for accessing the REST API. The ports can also be restricted by the host and/or requested URL.
Default Ports: 80, 443, 8080
ParameterTypeDescription
$portsint[]Array of integers for valid ports.
$hoststringHost name of the requested URL.
$urlstringRequested URL.
<?php
add_filter( 'cocart_http_allowed_safe_ports', function( $ports, $host, $url ) {
    $ports[] = 123; // Replace with port number to allow.

    return $ports;
} );
I