Skip to content

Commit 23f469e

Browse files
barryvdhbarryvdh
authored
Reflect headers/methods instead of wildcard (#81)
1 parent 9ffe9f9 commit 23f469e

File tree

2 files changed

+9
-14
lines changed

2 files changed

+9
-14
lines changed

src/CorsService.php

Lines changed: 4 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -166,12 +166,8 @@ private function isSingleOriginAllowed(): bool
166166
private function configureAllowedMethods(Response $response, Request $request)
167167
{
168168
if ($this->options['allowedMethods'] === true) {
169-
if ($this->options['supportsCredentials']) {
170-
$allowMethods = strtoupper($request->headers->get('Access-Control-Request-Method'));
171-
$this->varyHeader($response, 'Access-Control-Request-Method');
172-
} else {
173-
$allowMethods = '*';
174-
}
169+
$allowMethods = strtoupper($request->headers->get('Access-Control-Request-Method'));
170+
$this->varyHeader($response, 'Access-Control-Request-Method');
175171
} else {
176172
$allowMethods = implode(', ', $this->options['allowedMethods']);
177173
}
@@ -182,12 +178,8 @@ private function configureAllowedMethods(Response $response, Request $request)
182178
private function configureAllowedHeaders(Response $response, Request $request)
183179
{
184180
if ($this->options['allowedHeaders'] === true) {
185-
if ($this->options['supportsCredentials']) {
186-
$allowHeaders = $request->headers->get('Access-Control-Request-Headers');
187-
$this->varyHeader($response, 'Access-Control-Request-Headers');
188-
} else {
189-
$allowHeaders = '*';
190-
}
181+
$allowHeaders = $request->headers->get('Access-Control-Request-Headers');
182+
$this->varyHeader($response, 'Access-Control-Request-Headers');
191183
} else {
192184
$allowHeaders = implode(', ', $this->options['allowedHeaders']);
193185
}

tests/CorsTest.php

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -89,7 +89,8 @@ public function it_returns_allow_headers_header_on_allow_all_headers_request()
8989
$response = $app->handle($request);
9090

9191
$this->assertEquals(204, $response->getStatusCode());
92-
$this->assertEquals('*', $response->headers->get('Access-Control-Allow-Headers'));
92+
$this->assertEquals('Foo, BAR', $response->headers->get('Access-Control-Allow-Headers'));
93+
$this->assertEquals('Access-Control-Request-Headers, Access-Control-Request-Method', $response->headers->get('Vary'));
9394
}
9495

9596
/**
@@ -395,7 +396,9 @@ public function it_returns_valid_preflight_request_with_allow_methods_all()
395396

396397
$this->assertTrue($response->headers->has('Access-Control-Allow-Methods'));
397398
// it will return the Access-Control-Request-Method pass in the request
398-
$this->assertEquals('*', $response->headers->get('Access-Control-Allow-Methods'));
399+
$this->assertEquals('GET', $response->headers->get('Access-Control-Allow-Methods'));
400+
$this->assertEquals('Access-Control-Request-Method', $response->headers->get('Vary'));
401+
399402
}
400403

401404
/**

0 commit comments

Comments
 (0)