Exemple #1
0
 public function testCanDetectCorsRequestFromSameHostButDifferentScheme()
 {
     $request = new HttpRequest();
     $request->setUri('https://example.com');
     $request->getHeaders()->addHeaderLine('Origin', 'http://example.com');
     $this->assertTrue($this->corsService->isCorsRequest($request));
 }
 /**
  * Handle a CORS request (non-preflight, normal CORS request)
  *
  * @param MvcEvent $event
  */
 public function onCorsRequest(MvcEvent $event)
 {
     // Do nothing if we previously created a preflight response
     if ($this->isPreflight) {
         return;
     }
     /** @var $request HttpRequest */
     $request = $event->getRequest();
     /** @var $response HttpResponse */
     $response = $event->getResponse();
     if (!$request instanceof HttpRequest) {
         return;
     }
     // Also ensure that the vary header is set when no origin is set
     // to prevent reverse proxy caching a wrong request; causing all of the following
     // requests to fail due to missing CORS headers.
     if (!$this->corsService->isCorsRequest($request)) {
         if (!$request->getHeader('Origin')) {
             $this->corsService->ensureVaryHeader($response);
         }
         return;
     }
     // This is the second step of the CORS request, and we let ZF continue
     // processing the response
     try {
         $response = $this->corsService->populateCorsResponse($request, $response);
     } catch (DisallowedOriginException $exception) {
         $response = new HttpResponse();
         // Clear response for security
         $response->setStatusCode(403)->setReasonPhrase($exception->getMessage());
     }
     $event->setResponse($response);
 }
 /**
  * Handle a CORS request (non-preflight, normal CORS request)
  *
  * @param MvcEvent $event
  */
 public function onCorsRequest(MvcEvent $event)
 {
     // Do nothing if we previously created a preflight response
     if ($this->isPreflight) {
         return;
     }
     /** @var $request HttpRequest */
     $request = $event->getRequest();
     /** @var $response HttpResponse */
     $response = $event->getResponse();
     if (!$request instanceof HttpRequest || !$this->corsService->isCorsRequest($request)) {
         return;
     }
     // This is the second step of the CORS request, and we let ZF continue
     // processing the response
     try {
         $response = $this->corsService->populateCorsResponse($request, $response);
     } catch (DisallowedOriginException $exception) {
         $response = new HttpResponse();
         // Clear response for security
         $response->setStatusCode(403)->setReasonPhrase($exception->getMessage());
     }
     $event->setResponse($response);
 }