diff -r f507feede89a -r 09a1c134465b web/wp-includes/http.php
--- a/web/wp-includes/http.php	Wed Dec 19 12:35:13 2012 -0800
+++ b/web/wp-includes/http.php	Wed Dec 19 17:46:52 2012 -0800
@@ -19,7 +19,7 @@
  *
  * @return WP_Http HTTP Transport object.
  */
-function &_wp_http_get_object() {
+function _wp_http_get_object() {
 	static $http;
 
 	if ( is_null($http) )
@@ -284,6 +284,10 @@
  * Send Access-Control-Allow-Origin and related headers if the current request
  * is from an allowed origin.
  *
+ * If the request is an OPTIONS request, the script exits with either access
+ * control headers sent, or a 403 response if the origin is not allowed. For
+ * other request methods, you will receive a return value.
+ *
  * @since 3.4.0
  *
  * @return bool|string Returns the origin URL if headers are sent. Returns false
@@ -291,11 +295,19 @@
  */
 function send_origin_headers() {
 	$origin = get_http_origin();
-	if ( ! is_allowed_http_origin( $origin ) )
-		return false;
 
-	@header( 'Access-Control-Allow-Origin: ' .  $origin );
-	@header( 'Access-Control-Allow-Credentials: true' );
+	if ( is_allowed_http_origin( $origin ) ) {
+		@header( 'Access-Control-Allow-Origin: ' .  $origin );
+		@header( 'Access-Control-Allow-Credentials: true' );
+		if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] )
+			exit;
+		return $origin;
+	}
 
-	return $origin;
-}
\ No newline at end of file
+	if ( 'OPTIONS' === $_SERVER['REQUEST_METHOD'] ) {
+		status_header( 403 );
+		exit;
+	}
+
+	return false;
+}