public function testReturnNullForDifferentSchemeOnWildcardSubDomainOrigin() { $request = new HttpRequest(); $request->getHeaders()->addHeaderLine('Origin', 'https://example.com'); $this->corsOptions->setAllowedOrigins(array('http://*.example.com')); $response = $this->corsService->createPreflightCorsResponse($request); $headers = $response->getHeaders(); $this->assertEquals('null', $headers->get('Access-Control-Allow-Origin')->getFieldValue()); }
public function testReturnNothingForNormalAuthorizedCorsRequest() { $mvcEvent = new MvcEvent(); $request = new HttpRequest(); $response = new HttpResponse(); $request->getHeaders()->addHeaderLine('Origin', 'http://example.com'); $this->corsOptions->setAllowedOrigins(array('http://example.com')); $mvcEvent->setRequest($request)->setResponse($response); $this->assertNull($this->corsListener->onCorsRequest($mvcEvent)); }
/** * Get a single value for the "Access-Control-Allow-Origin" header * * According to the spec, it is not valid to set multiple origins separated by commas. Only accepted * value are wildcard ("*"), an exact domain or a null string. * * @link http://www.w3.org/TR/cors/#access-control-allow-origin-response-header * @param HttpRequest $request * @return string */ protected function getAllowedOriginValue(HttpRequest $request) { $allowedOrigins = $this->options->getAllowedOrigins(); if (in_array('*', $allowedOrigins)) { return '*'; } $origin = $request->getHeader('Origin')->getFieldValue(); foreach ($allowedOrigins as $allowedOrigin) { if (fnmatch($allowedOrigin, $origin)) { return $origin; } } return 'null'; }
/** * Ensure that the Vary header is set. * * * @link http://www.w3.org/TR/cors/#resource-implementation * @param HttpResponse $response * @return \Zend\Http\Headers */ public function ensureVaryHeader(HttpResponse $response) { $headers = $response->getHeaders(); // If the origin is not "*", we should add the "Origin" value to the "Vary" header // See more: http://www.w3.org/TR/cors/#resource-implementation $allowedOrigins = $this->options->getAllowedOrigins(); if (in_array('*', $allowedOrigins)) { return $headers; } if ($headers->has('Vary')) { $varyHeader = $headers->get('Vary'); $varyValue = $varyHeader->getFieldValue() . ', Origin'; $headers->removeHeader($varyHeader); $headers->addHeaderLine('Vary', $varyValue); } else { $headers->addHeaderLine('Vary', 'Origin'); } return $headers; }
public function testNormalizeHttpMethods() { $options = new CorsOptions(); $options->setAllowedMethods(array('post', 'GeT')); $this->assertEquals(array('POST', 'GET'), $options->getAllowedMethods()); }