Merge pull request #11 from zf-fr/dont-test-same-url

Allow domain URI to be automatically allowed
zf-fr · Oct 29, 2013 · b1cfc9f · b1cfc9f
2 parents 296d049 + 6a2750f
commit b1cfc9f
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+# 1.0.1
+
+- ZfrCors previously needed you to add the host URI in the allowed origins array. This was obviously wrong, so
+now if your app is hosted on "example.com", you don't need to add "example.com" as your allowed origins, as it should
+be automatically allowed.
+
 # 1.0.0
 
 - Initial release
diff --git a/README.md b/README.md
@@ -52,7 +52,8 @@ As of now, all the various options are set globally for all routes:
 
  * `allowed_origins`: (array) List of allowed origins. To allow any origin, you can use the wildcard (`*`) character. If
    multiple origins are specified, ZfrCors will automatically check the `"Origin"` header's value, and only return the
-   allowed domain (if any) in the `"Allow-Access-Control-Origin"` response header.
+   allowed domain (if any) in the `"Allow-Access-Control-Origin"` response header. Please note that you don't need to
+   add your host URI (so if your website is hosted as "example.com", "example.com" is automatically allowed.
  * `allowed_methods`: (array) List of allowed HTTP methods. Those methods will be returned for the preflight request to
    indicate which methods are allowed to the user agent. You can even specify custom HTTP verbs.
  * `allowed_headers`: (array) List of allowed headers that will be returned for the preflight request. This indicates

diff --git a/src/ZfrCors/Service/CorsService.php b/src/ZfrCors/Service/CorsService.php
@@ -18,6 +18,7 @@
 
 namespace ZfrCors\Service;
 
+use Zend\Uri\UriFactory;
 use ZfrCors\Exception\DisallowedOriginException;
 use ZfrCors\Options\CorsOptions;
 use Zend\Http\Request as HttpRequest;
@@ -47,14 +48,23 @@ public function __construct(CorsOptions $options)
     }
 
     /**
-     * Check if the HTTP request is a CORS request by checking if the Origin header is present
+     * Check if the HTTP request is a CORS request by checking if the Origin header is present and that the
+     * request URI is not the same as the one in the Origin
      *
      * @param HttpRequest $request
      * @return bool
      */
     public function isCorsRequest(HttpRequest $request)
     {
-        return $request->getHeaders()->has('Origin');
+        $headers = $request->getHeaders();
+
+        if (!$headers->has('Origin')) {
+            return false;
+        }
+
+        $originUri = UriFactory::factory($headers->get('Origin')->getFieldValue());
+
+        return $originUri->getHost() !== $request->getUri()->getHost();
     }
 
     /**

diff --git a/tests/ZfrCorsTest/Service/CorsServiceTest.php b/tests/ZfrCorsTest/Service/CorsServiceTest.php
@@ -91,6 +91,15 @@ public function testCanDetectCorsRequest()
         $this->assertEquals(true, $this->corsService->isCorsRequest($request));
     }
 
+    public function testIsNotCorsRequestIfNotACrossRequest()
+    {
+        $request = new HttpRequest();
+        $request->setUri('http://example.com');
+
+        $request->getHeaders()->addHeaderLine('Origin', 'http://example.com');
+        $this->assertEquals(false, $this->corsService->isCorsRequest($request));
+    }
+
     public function testCanDetectPreflightRequest()
     {
         $request = new HttpRequest();