Skip to content

Commit

Permalink
Allow domain URI to be automatically allowed
Browse files Browse the repository at this point in the history
bakura10 committed Oct 29, 2013

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent 296d049 commit 6a2750f
Showing 4 changed files with 29 additions and 3 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
# 1.0.1

- ZfrCors previously needed you to add the host URI in the allowed origins array. This was obviously wrong, so
now if your app is hosted on "example.com", you don't need to add "example.com" as your allowed origins, as it should
be automatically allowed.

# 1.0.0

- Initial release
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -52,7 +52,8 @@ As of now, all the various options are set globally for all routes:

* `allowed_origins`: (array) List of allowed origins. To allow any origin, you can use the wildcard (`*`) character. If
multiple origins are specified, ZfrCors will automatically check the `"Origin"` header's value, and only return the
allowed domain (if any) in the `"Allow-Access-Control-Origin"` response header.
allowed domain (if any) in the `"Allow-Access-Control-Origin"` response header. Please note that you don't need to
add your host URI (so if your website is hosted as "example.com", "example.com" is automatically allowed.
* `allowed_methods`: (array) List of allowed HTTP methods. Those methods will be returned for the preflight request to
indicate which methods are allowed to the user agent. You can even specify custom HTTP verbs.
* `allowed_headers`: (array) List of allowed headers that will be returned for the preflight request. This indicates
14 changes: 12 additions & 2 deletions src/ZfrCors/Service/CorsService.php
Original file line number Diff line number Diff line change
@@ -18,6 +18,7 @@

namespace ZfrCors\Service;

use Zend\Uri\UriFactory;
use ZfrCors\Exception\DisallowedOriginException;
use ZfrCors\Options\CorsOptions;
use Zend\Http\Request as HttpRequest;
@@ -47,14 +48,23 @@ public function __construct(CorsOptions $options)
}

/**
* Check if the HTTP request is a CORS request by checking if the Origin header is present
* Check if the HTTP request is a CORS request by checking if the Origin header is present and that the
* request URI is not the same as the one in the Origin
*
* @param HttpRequest $request
* @return bool
*/
public function isCorsRequest(HttpRequest $request)
{
return $request->getHeaders()->has('Origin');
$headers = $request->getHeaders();

if (!$headers->has('Origin')) {
return false;
}

$originUri = UriFactory::factory($headers->get('Origin')->getFieldValue());

return $originUri->getHost() !== $request->getUri()->getHost();
}

/**
9 changes: 9 additions & 0 deletions tests/ZfrCorsTest/Service/CorsServiceTest.php
Original file line number Diff line number Diff line change
@@ -91,6 +91,15 @@ public function testCanDetectCorsRequest()
$this->assertEquals(true, $this->corsService->isCorsRequest($request));
}

public function testIsNotCorsRequestIfNotACrossRequest()
{
$request = new HttpRequest();
$request->setUri('http://example.com');

$request->getHeaders()->addHeaderLine('Origin', 'http://example.com');
$this->assertEquals(false, $this->corsService->isCorsRequest($request));
}

public function testCanDetectPreflightRequest()
{
$request = new HttpRequest();

0 comments on commit 6a2750f

Please sign in to comment.