/** * @inheritdoc * * @see http://www.w3.org/TR/cors/#resource-processing-model */ public function analyze(RequestInterface $request) { $serverOrigin = $this->factory->createParsedUrl($this->strategy->getServerOrigin()); // check 'Host' request if ($this->strategy->isCheckHost() === true && $this->isSameHost($request, $serverOrigin) === false) { return $this->createResult(AnalysisResultInterface::ERR_NO_HOST_HEADER); } // Request handlers have common part (#6.1.1 - #6.1.2 and #6.2.1 - #6.2.2) // #6.1.1 and #6.2.1 $requestOrigin = $this->getOrigin($request); if ($requestOrigin === null || $this->isCrossOrigin($requestOrigin, $serverOrigin) === false) { return $this->createResult(AnalysisResultInterface::TYPE_REQUEST_OUT_OF_CORS_SCOPE); } // #6.1.2 and #6.2.2 if ($this->strategy->isRequestOriginAllowed($requestOrigin) === false) { return $this->createResult(AnalysisResultInterface::ERR_ORIGIN_NOT_ALLOWED); } // Since this point handlers have their own path for // - simple CORS and actual CORS request (#6.1.3 - #6.1.4) // - pre-flight request (#6.2.3 - #6.2.10) if ($request->getMethod() === self::PRE_FLIGHT_METHOD) { return $this->analyzeAsPreFlight($request, $requestOrigin); } else { return $this->analyzeAsRequest($request, $requestOrigin); } }
/** * @param RequestInterface $request * * @return AnalysisResultInterface */ protected function analyzeImplementation(RequestInterface $request) { $serverOrigin = $this->factory->createParsedUrl($this->strategy->getServerOrigin()); // check 'Host' request if ($this->strategy->isCheckHost() === true && $this->isSameHost($request, $serverOrigin) === false) { $host = $this->getRequestHostHeader($request); $this->logInfo('Host header in request either absent or do not match server origin. ' . 'Check config settings for Server Origin and Host Check.', ['host' => $host, 'server' => $serverOrigin]); return $this->createResult(AnalysisResultInterface::ERR_NO_HOST_HEADER); } // Request handlers have common part (#6.1.1 - #6.1.2 and #6.2.1 - #6.2.2) // #6.1.1 and #6.2.1 $requestOrigin = $this->getOrigin($request); if ($requestOrigin === null || $this->isCrossOrigin($requestOrigin, $serverOrigin) === false) { $this->logDebug('Request is not CORS (request origin is empty or equals to server one). ' . 'Check config settings for Server Origin.', ['request' => $requestOrigin, 'server' => $serverOrigin]); return $this->createResult(AnalysisResultInterface::TYPE_REQUEST_OUT_OF_CORS_SCOPE); } // #6.1.2 and #6.2.2 if ($this->strategy->isRequestOriginAllowed($requestOrigin) === false) { $this->logInfo('Request origin is not allowed. Check config settings for Allowed Origins.', ['origin' => $requestOrigin]); return $this->createResult(AnalysisResultInterface::ERR_ORIGIN_NOT_ALLOWED); } // Since this point handlers have their own path for // - simple CORS and actual CORS request (#6.1.3 - #6.1.4) // - pre-flight request (#6.2.3 - #6.2.10) if ($request->getMethod() === self::PRE_FLIGHT_METHOD) { $result = $this->analyzeAsPreFlight($request, $requestOrigin); } else { $result = $this->analyzeAsRequest($request, $requestOrigin); } return $result; }