/** * @inheritdoc */ public function isRequestOriginAllowed(ParsedUrlInterface $requestOrigin) { // check if all origins are allowed with '*' $isAllowed = isset($this->allowedOrigins[CorsResponseHeaders::VALUE_ALLOW_ORIGIN_ALL]); if ($isAllowed === false) { $requestOriginStr = strtolower($requestOrigin->getOrigin()); $isAllowed = isset($this->allowedOrigins[$requestOriginStr]); } return $isAllowed; }
/** * Analyze request as CORS pre-flight request (#6.2.3 - #6.2.10). * * @param RequestInterface $request * @param ParsedUrlInterface $requestOrigin * * @return AnalysisResultInterface * * @SuppressWarnings(PHPMD.NPathComplexity) * @SuppressWarnings(PHPMD.CyclomaticComplexity) */ protected function analyzeAsPreFlight(RequestInterface $request, ParsedUrlInterface $requestOrigin) { // #6.2.3 $requestMethod = $request->getHeader(CorsRequestHeaders::METHOD); if (empty($requestMethod) === true) { return $this->createResult(AnalysisResultInterface::TYPE_REQUEST_OUT_OF_CORS_SCOPE); } else { $requestMethod = $requestMethod[0]; } // OK now we are sure it's a pre-flight request /** @var string $requestMethod */ // #6.2.4 $requestHeaders = $this->getRequestedHeadersInLowerCase($request); // #6.2.5 if ($this->strategy->isRequestMethodSupported($requestMethod) === false) { return $this->createResult(AnalysisResultInterface::ERR_METHOD_NOT_SUPPORTED); } // #6.2.6 if ($this->strategy->isRequestAllHeadersSupported($requestHeaders) === false) { return $this->createResult(AnalysisResultInterface::ERR_HEADERS_NOT_SUPPORTED); } // pre-flight response headers $headers = []; // #6.2.7 $headers[CorsResponseHeaders::ALLOW_ORIGIN] = $requestOrigin->getOrigin(); if ($this->strategy->isRequestCredentialsSupported($request) === true) { $headers[CorsResponseHeaders::ALLOW_CREDENTIALS] = CorsResponseHeaders::VALUE_ALLOW_CREDENTIALS_TRUE; } // #6.4 $headers[CorsResponseHeaders::VARY] = CorsRequestHeaders::ORIGIN; // #6.2.8 if ($this->strategy->isPreFlightCanBeCached($request) === true) { $headers[CorsResponseHeaders::MAX_AGE] = $this->strategy->getPreFlightCacheMaxAge($request); } // #6.2.9 $isSimpleMethod = isset($this->simpleMethods[$requestMethod]); if ($isSimpleMethod === false || $this->strategy->isForceAddAllowedMethodsToPreFlightResponse() === true) { $headers[CorsResponseHeaders::ALLOW_METHODS] = $this->strategy->getRequestAllowedMethods($request, $requestMethod); } // #6.2.10 // Has only 'simple' headers excluding Content-Type $isSimpleExclCT = empty(array_diff($requestHeaders, $this->simpleHeadersExclContentType)); if ($isSimpleExclCT === false || $this->strategy->isForceAddAllowedHeadersToPreFlightResponse() === true) { $headers[CorsResponseHeaders::ALLOW_HEADERS] = $this->strategy->getRequestAllowedHeaders($request, $requestHeaders); } return $this->createResult(AnalysisResultInterface::TYPE_PRE_FLIGHT_REQUEST, $headers); }