/**
* Populate a simple CORS response
*
* @param HttpRequest $request
* @param HttpResponse $response
* @return HttpResponse
* @throws DisallowedOriginException If the origin is not allowed
*/
public function populateCorsResponse(HttpRequest $request, HttpResponse $response)
{
$origin = $this->getAllowedOriginValue($request);
// If $origin is "null", then it means than the origin is not allowed. As this is
// a simple request, it is useless to continue the processing as it will be refused
// by the browser anyway, so we throw an exception
if ($origin === 'null') {
throw new DisallowedOriginException(sprintf('The origin "%s" is not authorized', $request->getHeader('Origin')->getFieldValue()));
}
$headers = $response->getHeaders();
$headers->addHeaderLine('Access-Control-Allow-Origin', $origin);
$headers->addHeaderLine('Access-Control-Expose-Headers', implode(', ', $this->options->getExposedHeaders()));
// If the origin is not "*", we should add the "Origin" value to the "Vary" header
// See more: http://www.w3.org/TR/cors/#resource-implementation
if ($origin !== '*') {
if ($headers->has('Vary')) {
$varyHeader = $headers->get('Vary');
$varyValue = $varyHeader->getFieldValue() . ', Origin';
$headers->removeHeader($varyHeader);
$headers->addHeaderLine('Vary', $varyValue);
} else {
$headers->addHeaderLine('Vary', 'Origin');
}
}
if ($this->options->getAllowedCredentials()) {
$headers->addHeaderLine('Access-Control-Allow-Credentials', 'true');
}
return $response;
}
public function testCanModifyOptions()
{
$options = new CorsOptions();
$options->setAllowedOrigins(array('http://example1.com', 'http://example2.com'));
$this->assertEquals(array('http://example1.com', 'http://example2.com'), $options->getAllowedOrigins());
$options->setAllowedMethods(array('POST', 'GET'));
$this->assertEquals(array('POST', 'GET'), $options->getAllowedMethods());
$options->setAllowedHeaders(array('Content-Type'));
$this->assertEquals(array('Content-Type'), $options->getAllowedHeaders());
$options->setMaxAge(30);
$this->assertEquals(30, $options->getMaxAge());
$options->setExposedHeaders(array('Location', 'X-Custom-Header'));
$this->assertEquals(array('Location', 'X-Custom-Header'), $options->getExposedHeaders());
$options->setAllowedCredentials(true);
$this->assertTrue($options->getAllowedCredentials());
}
/**
* Populate a simple CORS response
*
* @param HttpRequest $request
* @param HttpResponse $response
* @return HttpResponse
* @throws DisallowedOriginException If the origin is not allowed
*/
public function populateCorsResponse(HttpRequest $request, HttpResponse $response)
{
$origin = $this->getAllowedOriginValue($request);
// If $origin is "null", then it means than the origin is not allowed. As this is
// a simple request, it is useless to continue the processing as it will be refused
// by the browser anyway, so we throw an exception
if ($origin === 'null') {
$origin = $request->getHeader('Origin');
$originHeader = $origin ? $origin->getFieldValue() : '';
throw new DisallowedOriginException(sprintf('The origin "%s" is not authorized', $originHeader));
}
$headers = $response->getHeaders();
$headers->addHeaderLine('Access-Control-Allow-Origin', $origin);
$headers->addHeaderLine('Access-Control-Expose-Headers', implode(', ', $this->options->getExposedHeaders()));
$headers = $this->ensureVaryHeader($response);
if ($this->options->getAllowedCredentials()) {
$headers->addHeaderLine('Access-Control-Allow-Credentials', 'true');
}
$response->setHeaders($headers);
return $response;
}
