/**
* Setup access for origin and methods on cross origin requests
*
* This method allow multiple ways to setup the domains, see the examples
*
* ### Full URI
* ```
* cors($request, 'http://www.cakephp.org');
* ```
*
* ### URI with wildcard
* ```
* cors($request, 'http://*.cakephp.org');
* ```
*
* ### Ignoring the requested protocol
* ```
* cors($request, 'www.cakephp.org');
* ```
*
* ### Any URI
* ```
* cors($request, '*');
* ```
*
* ### Whitelist of URIs
* ```
* cors($request, ['http://www.cakephp.org', '*.google.com', 'https://myproject.github.io']);
* ```
*
* *Note* The `$allowedDomains`, `$allowedMethods`, `$allowedHeaders` parameters are deprecated.
* Instead the builder object should be used.
*
* @param \Cake\Network\Request $request Request object
* @param string|array $allowedDomains List of allowed domains, see method description for more details
* @param string|array $allowedMethods List of HTTP verbs allowed
* @param string|array $allowedHeaders List of HTTP headers allowed
* @return \Cake\Network\CorsBuilder A builder object the provides a fluent interface for defining
* additional CORS headers.
*/
public function cors(Request $request, $allowedDomains = [], $allowedMethods = [], $allowedHeaders = [])
{
$origin = $request->header('Origin');
$ssl = $request->is('ssl');
$builder = new CorsBuilder($this, $origin, $ssl);
if (!$origin) {
return $builder;
}
if (empty($allowedDomains) && empty($allowedMethods) && empty($allowedHeaders)) {
return $builder;
}
$builder->allowOrigin($allowedDomains)->allowMethods((array) $allowedMethods)->allowHeaders((array) $allowedHeaders)->build();
return $builder;
}
/**
* When an invalid origin is used, none of the other headers should be applied.
*
* @return void
*/
public function testInvalidAllowedOriginNoHeadersSet()
{
$response = new Response();
$builder = new CorsBuilder($response, 'http://example.com');
$response = $builder->allowOrigin(['http://google.com'])->allowCredentials()->allowMethods(['GET', 'POST'])->allowHeaders(['Content-Type'])->exposeHeaders(['X-CSRF-Token'])->maxAge(300)->build();
$this->assertNoHeader($response, 'Access-Control-Allow-Origin');
$this->assertNoHeader($response, 'Access-Control-Allow-Headers');
$this->assertNoHeader($response, 'Access-Control-Expose-Headers');
$this->assertNoHeader($response, 'Access-Control-Allow-Methods');
$this->assertNoHeader($response, 'Access-Control-Allow-Authentication');
$this->assertNoHeader($response, 'Access-Control-Max-Age');
}