Filter tin-canny-learndash-reporting

tincanny_access_control_origin

Filters the Access-Control-Allow-Origin header value, allowing customization of cross-origin resource sharing.

add_filter( 'tincanny_access_control_origin', $callback, 10, 1 );

Description

Allows developers to modify the `Access-Control-Allow-Origin` header sent by Tin Can API. This is useful for controlling which domains are allowed to access your LRS data. The default value is the site's URL.

Usage

add_filter( 'tincanny_access_control_origin', 'your_function_name', 10, 1 );

Return Value

The filtered value.

Examples

/**
 * Allows whitelisting specific origins for Tin Can API requests.
 *
 * By default, the filter returns the site's URL. This example adds
 * a secondary check to allow a specific staging domain as well.
 *
 * @param string $origin The default origin to allow (WordPress site URL).
 * @return string The allowed origin.
 */
add_filter( 'tincanny_access_control_origin', function( $origin ) {
	// Define a staging domain that also needs access.
	$staging_domain = 'https://staging.example.com';

	// Check if the current request is coming from the staging domain.
	// This is a simplified check. In a real-world scenario, you might
	// inspect $_SERVER['HTTP_REFERER'] or use more robust methods
	// if the origin isn't directly known or if multiple staging environments exist.
	// For this example, we'll just assume if it's *not* the main site,
	// we might want to allow staging. A more robust check would involve
	// actually checking the incoming request origin header if available.
	// For simplicity, we'll just add the staging domain to the list of allowed origins
	// if it's not the main site.
	if ( $origin !== $staging_domain ) {
		// If the default origin is the main site URL, add the staging domain.
		// In a real-world scenario, you'd likely want to return a comma-separated
		// string of allowed origins if multiple are permitted.
		// For this example, we'll assume we want to allow *either* the main site
		// *or* the staging site.
		// The correct way to handle multiple origins is to return a comma-separated string.
		// Let's assume the default $origin is site_url().
		return site_url() . ', ' . $staging_domain;
	}

	// If the origin is already the staging domain, return it as is.
	return $origin;

}, 10, 1 );

Placement

This code should be placed in the functions.php file of your active theme, a custom plugin, or using a code snippets plugin.

Source Code

src/uncanny-tincan/classes/Server.php:198

private function modify_header() {
		$domain = apply_filters( 'tincanny_access_control_origin', esc_url_raw( site_url() ) );
		header( 'Access-Control-Allow-Origin: ' . $domain );
		header( 'Access-Control-Allow-Methods: HEAD, GET, POST, PUT, DELETE' );
		header( 'Access-Control-Allow-Headers: X-Experience-API-Version, Authorization, Content-Type, ETag, X-TinCanny-Complete' );
		header( 'Access-Control-Expose-Headers: ETag, X-TinCanny-Complete' );
	}
Scroll to Top