From 23cb8fe320c94fd41c35743317f52e651fd4507b Mon Sep 17 00:00:00 2001
From: Seghir Nadir <nadir.seghir@gmail.com>
Date: Mon, 17 Jul 2023 16:16:02 +0100
Subject: [PATCH] Don't send headers early in Store API
 (https://github.com/woocommerce/woocommerce-blocks/pull/10241)

---
 .../woocommerce-blocks/src/StoreApi/Authentication.php   | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/plugins/woocommerce-blocks/src/StoreApi/Authentication.php b/plugins/woocommerce-blocks/src/StoreApi/Authentication.php
index a6e5c3e4ace..463a82d23bb 100644
--- a/plugins/woocommerce-blocks/src/StoreApi/Authentication.php
+++ b/plugins/woocommerce-blocks/src/StoreApi/Authentication.php
@@ -61,14 +61,15 @@ class Authentication {
 		}
 
 		// Send standard CORS headers.
-		header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
-		header( 'Access-Control-Allow-Credentials: true' );
-		header( 'Vary: Origin', false );
+		$server = rest_get_server();
+		$server->send_header( 'Access-Control-Allow-Methods', 'OPTIONS, GET, POST, PUT, PATCH, DELETE' );
+		$server->send_header( 'Access-Control-Allow-Credentials', 'true' );
+		$server->send_header( 'Vary', 'Origin', false );
 
 		// Allow preflight requests, certain http origins, and any origin if a cart token is present. Preflight requests
 		// are allowed because we'll be unable to validate cart token headers at that point.
 		if ( $this->is_preflight() || $this->has_valid_cart_token( $request ) || is_allowed_http_origin( $origin ) ) {
-			header( 'Access-Control-Allow-Origin: ' . $origin );
+			$server->send_header( 'Access-Control-Allow-Origin', $origin );
 		}
 
 		// Exit early during preflight requests. This is so someone cannot access API data by sending an OPTIONS request