Mirrors/shlink
1
0
Fork 0
mirror of https://github.com/shlinkio/shlink.git synced 2026-03-10 01:03:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Improved CrossDomainMiddleware preventing headers to be injected on non-CORS requests

Browse Source
This commit is contained in:
Alejandro Celaya
2016-07-19 20:20:18 +02:00
parent 0daa24739d
commit 839329d627
4 changed files with 49 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
module/Rest/src/Middleware/CrossDomainMiddleware.php
View File

@@ -36,17 +36,26 @@ class CrossDomainMiddleware implements MiddlewareInterface
{
/** @var Response $response */
$response = $out($request, $response);
if (strtolower($request->getMethod()) === 'options') {
$response = $response->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
->withHeader('Access-Control-Max-Age', '1000')
->withHeader(
// Allow all requested headers
'Access-Control-Allow-Headers',
$request->getHeaderLine('Access-Control-Request-Headers')
);
if (! $request->hasHeader('Origin')) {
return $response;
}
return $response->withHeader('Access-Control-Allow-Origin', '*');
// Add Allow-Origin header
$response = $response->withHeader('Access-Control-Allow-Origin', '*');
if ($request->getMethod() !== 'OPTIONS') {
return $response;
}
// Add OPTIONS-specific headers
$headers = [
'Access-Control-Allow-Methods' => 'GET, POST, PUT, DELETE, OPTIONS', // TODO Should be based on path
'Access-Control-Max-Age' => '1000',
'Access-Control-Allow-Headers' => $request->getHeaderLine('Access-Control-Request-Headers'),
];
foreach ($headers as $key => $value) {
$response = $response->withHeader($key, $value);
}
return $response;
}
}