I've added a warning about the WordPress REST API being open for all Origins.
I've paraphrased @rmccue to indicate this was discussed recently and to make clear who said this (instead of me). I've added a link to my plugin as an example for verifying Origins before sending out CORS headers.
I've added a warning about the WordPress REST API being open for all Origins. I've paraphrased @rmccue to indicate this was discussed recently and to make clear who said this (instead of me). I've added a link to my plugin as an example for verifying Origins before sending out CORS headers.
Trac tickets for reference: