From 6a2750f7f332bcede54e179293f8dfd9845cc74b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Gallego?= Date: Tue, 29 Oct 2013 17:42:39 +0100 Subject: [PATCH] Allow domain URI to be automatically allowed --- CHANGELOG.md | 6 ++++++ README.md | 3 ++- src/ZfrCors/Service/CorsService.php | 14 ++++++++++++-- tests/ZfrCorsTest/Service/CorsServiceTest.php | 9 +++++++++ 4 files changed, 29 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f87be6d..f3d6ad1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# 1.0.1 + +- ZfrCors previously needed you to add the host URI in the allowed origins array. This was obviously wrong, so +now if your app is hosted on "example.com", you don't need to add "example.com" as your allowed origins, as it should +be automatically allowed. + # 1.0.0 - Initial release diff --git a/README.md b/README.md index e6d0acf..aeaba5c 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,8 @@ As of now, all the various options are set globally for all routes: * `allowed_origins`: (array) List of allowed origins. To allow any origin, you can use the wildcard (`*`) character. If multiple origins are specified, ZfrCors will automatically check the `"Origin"` header's value, and only return the - allowed domain (if any) in the `"Allow-Access-Control-Origin"` response header. + allowed domain (if any) in the `"Allow-Access-Control-Origin"` response header. Please note that you don't need to + add your host URI (so if your website is hosted as "example.com", "example.com" is automatically allowed. * `allowed_methods`: (array) List of allowed HTTP methods. Those methods will be returned for the preflight request to indicate which methods are allowed to the user agent. You can even specify custom HTTP verbs. * `allowed_headers`: (array) List of allowed headers that will be returned for the preflight request. This indicates diff --git a/src/ZfrCors/Service/CorsService.php b/src/ZfrCors/Service/CorsService.php index 4c00db7..006715e 100644 --- a/src/ZfrCors/Service/CorsService.php +++ b/src/ZfrCors/Service/CorsService.php @@ -18,6 +18,7 @@ namespace ZfrCors\Service; +use Zend\Uri\UriFactory; use ZfrCors\Exception\DisallowedOriginException; use ZfrCors\Options\CorsOptions; use Zend\Http\Request as HttpRequest; @@ -47,14 +48,23 @@ public function __construct(CorsOptions $options) } /** - * Check if the HTTP request is a CORS request by checking if the Origin header is present + * Check if the HTTP request is a CORS request by checking if the Origin header is present and that the + * request URI is not the same as the one in the Origin * * @param HttpRequest $request * @return bool */ public function isCorsRequest(HttpRequest $request) { - return $request->getHeaders()->has('Origin'); + $headers = $request->getHeaders(); + + if (!$headers->has('Origin')) { + return false; + } + + $originUri = UriFactory::factory($headers->get('Origin')->getFieldValue()); + + return $originUri->getHost() !== $request->getUri()->getHost(); } /** diff --git a/tests/ZfrCorsTest/Service/CorsServiceTest.php b/tests/ZfrCorsTest/Service/CorsServiceTest.php index f0d031e..22bd20b 100644 --- a/tests/ZfrCorsTest/Service/CorsServiceTest.php +++ b/tests/ZfrCorsTest/Service/CorsServiceTest.php @@ -91,6 +91,15 @@ public function testCanDetectCorsRequest() $this->assertEquals(true, $this->corsService->isCorsRequest($request)); } + public function testIsNotCorsRequestIfNotACrossRequest() + { + $request = new HttpRequest(); + $request->setUri('http://example.com'); + + $request->getHeaders()->addHeaderLine('Origin', 'http://example.com'); + $this->assertEquals(false, $this->corsService->isCorsRequest($request)); + } + public function testCanDetectPreflightRequest() { $request = new HttpRequest();