Skip to content

Commit

Permalink
FIX: Don't 403 error when origin is on CORS-disallowed (fixes silvers…
Browse files Browse the repository at this point in the history
  • Loading branch information
kinglozzer committed Mar 20, 2023
1 parent 13327fd commit fb6295b
Showing 1 changed file with 13 additions and 6 deletions.
19 changes: 13 additions & 6 deletions src/Controller.php
Original file line number Diff line number Diff line change
Expand Up @@ -184,17 +184,24 @@ public function addCorsHeaders(HTTPRequest $request, HTTPResponse $response): HT
return $response;
}

// Calculate origin
// Get origin - only one host name is allowed in the Allow-Origin header, so we must return the current origin
$origin = $this->getRequestOrigin($request);

// Check if valid
// Only output an Allow-Origin header if the current origin is a valid one
$allowedOrigins = (array)$corsConfig['Allow-Origin'];
$originAuthorised = $this->validateOrigin($origin, $allowedOrigins);
if (!$originAuthorised) {
$this->httpError(403, "Access Forbidden");
if ($this->validateOrigin($origin, $allowedOrigins)) {
if ($corsConfig['Allow-Origin'] === '*') {
// Any origin is allowed
$response->addHeader('Access-Control-Allow-Origin', '*');
} else {
// Specific origins allowed - only one can be output at a time, so we have to output the current one
$response->addHeader('Access-Control-Allow-Origin', $origin);
// If specific allowed origins are set, the response headers will vary by request origin, so use the
// Vary header to tell browsers/CDNs that
$response->addHeader('Vary', 'Origin');
}
}

$response->addHeader('Access-Control-Allow-Origin', $origin);
$response->addHeader('Access-Control-Allow-Headers', $corsConfig['Allow-Headers']);
$response->addHeader('Access-Control-Allow-Methods', $corsConfig['Allow-Methods']);
$response->addHeader('Access-Control-Max-Age', $corsConfig['Max-Age']);
Expand Down

0 comments on commit fb6295b

Please sign in to comment.