From 24ee4944cfd6fdd72eb7382a0381d12a2590bfee Mon Sep 17 00:00:00 2001
From: Max Schmeling <max.schmeling@automattic.com>
Date: Thu, 12 Dec 2024 16:33:44 -0600
Subject: [PATCH] Send X-Cors-Proxy-Allowed-Request-Headers header on proxied
 requests

---
 inc/HttpClient/WPRemoteRequestHandler.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/inc/HttpClient/WPRemoteRequestHandler.php b/inc/HttpClient/WPRemoteRequestHandler.php
index eaaba815..d473de1c 100644
--- a/inc/HttpClient/WPRemoteRequestHandler.php
+++ b/inc/HttpClient/WPRemoteRequestHandler.php
@@ -30,6 +30,7 @@ public function __invoke( RequestInterface $request, array $options ): PromiseIn
 		try {
 			// Convert Guzzle request to arguments for wp_remote_request.
 			$url = (string) $request->getUri();
+			$headers = [];
 
 			// If we are running on WordPress Playground, use the provided CORS proxy.
 			if ( defined( 'USE_PLAYGROUND_CORS_PROXY' ) && true === USE_PLAYGROUND_CORS_PROXY ) {
@@ -40,11 +41,12 @@ public function __invoke( RequestInterface $request, array $options ): PromiseIn
 					->withQuery( $url );
 				$request = $request->withUri( $new_uri );
 				$url = (string) $new_uri;
+				$headers['X-Cors-Proxy-Allowed-Request-Headers'] = 'Authorization';
 			}
 
 			$args = [
 				'body' => (string) $request->getBody(), // Stream has been read, let __toString() rewind and read it.
-				'headers' => [],
+				'headers' => $headers,
 				'httpversion' => $options['httpversion'] ?? self::DEFAULT_HTTP_VERSION,
 				'method' => $request->getMethod(),
 				'timeout' => $options['timeout'] ?? self::DEFAULT_TIMEOUT,