/** * Populate a simple CORS response * * @param HttpRequest $request * @param HttpResponse $response * @return HttpResponse * @throws DisallowedOriginException If the origin is not allowed */ public function populateCorsResponse(HttpRequest $request, HttpResponse $response) { $origin = $this->getAllowedOriginValue($request); // If $origin is "null", then it means than the origin is not allowed. As this is // a simple request, it is useless to continue the processing as it will be refused // by the browser anyway, so we throw an exception if ($origin === 'null') { throw new DisallowedOriginException(sprintf('The origin "%s" is not authorized', $request->getHeader('Origin')->getFieldValue())); } $headers = $response->getHeaders(); $headers->addHeaderLine('Access-Control-Allow-Origin', $origin); $headers->addHeaderLine('Access-Control-Expose-Headers', implode(', ', $this->options->getExposedHeaders())); // If the origin is not "*", we should add the "Origin" value to the "Vary" header // See more: http://www.w3.org/TR/cors/#resource-implementation if ($origin !== '*') { if ($headers->has('Vary')) { $varyHeader = $headers->get('Vary'); $varyValue = $varyHeader->getFieldValue() . ', Origin'; $headers->removeHeader($varyHeader); $headers->addHeaderLine('Vary', $varyValue); } else { $headers->addHeaderLine('Vary', 'Origin'); } } if ($this->options->getAllowedCredentials()) { $headers->addHeaderLine('Access-Control-Allow-Credentials', 'true'); } return $response; }
public function testCanModifyOptions() { $options = new CorsOptions(); $options->setAllowedOrigins(array('http://example1.com', 'http://example2.com')); $this->assertEquals(array('http://example1.com', 'http://example2.com'), $options->getAllowedOrigins()); $options->setAllowedMethods(array('POST', 'GET')); $this->assertEquals(array('POST', 'GET'), $options->getAllowedMethods()); $options->setAllowedHeaders(array('Content-Type')); $this->assertEquals(array('Content-Type'), $options->getAllowedHeaders()); $options->setMaxAge(30); $this->assertEquals(30, $options->getMaxAge()); $options->setExposedHeaders(array('Location', 'X-Custom-Header')); $this->assertEquals(array('Location', 'X-Custom-Header'), $options->getExposedHeaders()); $options->setAllowedCredentials(true); $this->assertTrue($options->getAllowedCredentials()); }
/** * Populate a simple CORS response * * @param HttpRequest $request * @param HttpResponse $response * @return HttpResponse * @throws DisallowedOriginException If the origin is not allowed */ public function populateCorsResponse(HttpRequest $request, HttpResponse $response) { $origin = $this->getAllowedOriginValue($request); // If $origin is "null", then it means than the origin is not allowed. As this is // a simple request, it is useless to continue the processing as it will be refused // by the browser anyway, so we throw an exception if ($origin === 'null') { $origin = $request->getHeader('Origin'); $originHeader = $origin ? $origin->getFieldValue() : ''; throw new DisallowedOriginException(sprintf('The origin "%s" is not authorized', $originHeader)); } $headers = $response->getHeaders(); $headers->addHeaderLine('Access-Control-Allow-Origin', $origin); $headers->addHeaderLine('Access-Control-Expose-Headers', implode(', ', $this->options->getExposedHeaders())); $headers = $this->ensureVaryHeader($response); if ($this->options->getAllowedCredentials()) { $headers->addHeaderLine('Access-Control-Allow-Credentials', 'true'); } $response->setHeaders($headers); return $response; }