public function setAllowedCrossDomainUrls(Request $request, array $urls) { $origin = null; if (count($urls) > 1) { // we can only set one allowed origin URL // if many are given, we need to find the current one $requestOrigin = $request->header('Origin'); if ($requestOrigin) { // the docs say this will not have any path info, but we don't trust those bastards if (substr($requestOrigin, -1) != '/') { $requestOrigin .= '/'; } foreach ($urls as $allowedOrigin) { $allowedOriginWithSlash = $allowedOrigin; if (substr($allowedOriginWithSlash, -1) != '/') { $allowedOriginWithSlash .= '/'; } if (strpos($requestOrigin, $allowedOriginWithSlash) === 0) { $origin = $allowedOrigin; break; } } } } if (!$origin) { // only one URL given, or none matches the request // fallback to first allowed origin $origin = reset($urls); } $this->addHeader('Access-Control-Allow-Credentials: true'); $this->addHeader('Access-Control-Allow-Origin: ' . $origin); return $this; }