vendor/nelmio/cors-bundle/EventListener/CorsListener.php line 50

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the NelmioCorsBundle.
  5.  *
  6.  * (c) Nelmio <hello@nelm.io>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Nelmio\CorsBundle\EventListener;
  14. use Symfony\Component\HttpKernel\HttpKernelInterface;
  15. use Symfony\Component\HttpFoundation\Request;
  16. use Symfony\Component\HttpFoundation\Response;
  17. use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
  18. use Symfony\Component\HttpKernel\Event\GetResponseEvent;
  19. use Symfony\Component\EventDispatcher\EventDispatcherInterface;
  20. use Nelmio\CorsBundle\Options\ResolverInterface;
  22. /**
  23.  * Adds CORS headers and handles pre-flight requests
  24.  *
  25.  * @author Jordi Boggiano <j.boggiano@seld.be>
  26.  */
  27. class CorsListener
  28. {
  29.     /**
  30.      * Simple headers as defined in the spec should always be accepted
  31.      */
  32.     protected static $simpleHeaders = array(
  33.         'accept',
  34.         'accept-language',
  35.         'content-language',
  36.         'origin',
  37.     );
  39.     protected $dispatcher;
  41.     /** @var ResolverInterface */
  42.     protected $configurationResolver;
  44.     public function __construct(EventDispatcherInterface $dispatcherResolverInterface $configurationResolver)
  45.     {
  46.         $this->dispatcher $dispatcher;
  47.         $this->configurationResolver $configurationResolver;
  48.     }
  50.     public function onKernelRequest(GetResponseEvent $event)
  51.     {
  52.         if (HttpKernelInterface::MASTER_REQUEST !== $event->getRequestType()) {
  53.             return;
  54.         }
  56.         $request $event->getRequest();
  58.         if (!$options $this->configurationResolver->getOptions($request)) {
  59.             return;
  60.         }
  62.         // if the "forced_allow_origin_value" option is set, add a listener which will set or override the "Access-Control-Allow-Origin" header
  63.         if (!empty($options['forced_allow_origin_value'])) {
  64.             $this->dispatcher->addListener('kernel.response', array($this'forceAccessControlAllowOriginHeader'), -1);
  65.         }
  67.         // skip if not a CORS request
  68.         if (!$request->headers->has('Origin') || $request->headers->get('Origin') == $request->getSchemeAndHttpHost()) {
  69.             return;
  70.         }
  72.         // perform preflight checks
  73.         if ('OPTIONS' === $request->getMethod() && $request->headers->has('Access-Control-Request-Method')) {
  74.             $event->setResponse($this->getPreflightResponse($request$options));
  76.             return;
  77.         }
  79.         if (!$this->checkOrigin($request$options)) {
  80.             return;
  81.         }
  83.         $this->dispatcher->addListener('kernel.response', array($this'onKernelResponse'), 0);
  84.     }
  86.     public function onKernelResponse(FilterResponseEvent $event)
  87.     {
  88.         if (HttpKernelInterface::MASTER_REQUEST !== $event->getRequestType()) {
  89.             return;
  90.         }
  92.         if (!$options $this->configurationResolver->getOptions($request $event->getRequest())) {
  93.             return;
  94.         }
  96.         $response $event->getResponse();
  97.         // add CORS response headers
  98.         $response->headers->set('Access-Control-Allow-Origin'$request->headers->get('Origin'));
  99.         if ($options['allow_credentials']) {
  100.             $response->headers->set('Access-Control-Allow-Credentials''true');
  101.         }
  102.         if ($options['expose_headers']) {
  103.             $response->headers->set('Access-Control-Expose-Headers'strtolower(implode(', '$options['expose_headers'])));
  104.         }
  105.     }
  107.     public function forceAccessControlAllowOriginHeader(FilterResponseEvent $event)
  108.     {
  109.         if (!$options $this->configurationResolver->getOptions($request $event->getRequest())) {
  110.             return;
  111.         }
  113.         $event->getResponse()->headers->set('Access-Control-Allow-Origin'$options['forced_allow_origin_value']);
  114.     }
  116.     protected function getPreflightResponse(Request $request, array $options)
  117.     {
  118.         $response = new Response();
  119.         $response->setVary(array('Origin'));
  121.         if ($options['allow_credentials']) {
  122.             $response->headers->set('Access-Control-Allow-Credentials''true');
  123.         }
  124.         if ($options['allow_methods']) {
  125.             $response->headers->set('Access-Control-Allow-Methods'implode(', '$options['allow_methods']));
  126.         }
  127.         if ($options['allow_headers']) {
  128.             $headers $options['allow_headers'] === true
  129.                 $request->headers->get('Access-Control-Request-Headers')
  130.                 : implode(', '$options['allow_headers']);
  132.             if ($headers) {
  133.                 $response->headers->set('Access-Control-Allow-Headers'$headers);
  134.             }
  135.         }
  136.         if ($options['max_age']) {
  137.             $response->headers->set('Access-Control-Max-Age'$options['max_age']);
  138.         }
  140.         if (!$this->checkOrigin($request$options)) {
  141.             $response->headers->set('Access-Control-Allow-Origin''null');
  143.             return $response;
  144.         }
  146.         $response->headers->set('Access-Control-Allow-Origin'$request->headers->get('Origin'));
  148.         // check request method
  149.         if (!in_array(strtoupper($request->headers->get('Access-Control-Request-Method')), $options['allow_methods'], true)) {
  150.             $response->setStatusCode(405);
  152.             return $response;
  153.         }
  155.         /**
  156.          * We have to allow the header in the case-set as we received it by the client.
  157.          * Firefox f.e. sends the LINK method as "Link", and we have to allow it like this or the browser will deny the
  158.          * request.
  159.          */
  160.         if (!in_array($request->headers->get('Access-Control-Request-Method'), $options['allow_methods'], true)) {
  161.             $options['allow_methods'][] = $request->headers->get('Access-Control-Request-Method');
  162.             $response->headers->set('Access-Control-Allow-Methods'implode(', '$options['allow_methods']));
  163.         }
  165.         // check request headers
  166.         $headers $request->headers->get('Access-Control-Request-Headers');
  167.         if ($options['allow_headers'] !== true && $headers) {
  168.             $headers trim(strtolower($headers));
  169.             foreach (preg_split('{, *}'$headers) as $header) {
  170.                 if (in_array($headerself::$simpleHeaderstrue)) {
  171.                     continue;
  172.                 }
  173.                 if (!in_array($header$options['allow_headers'], true)) {
  174.                     $response->setStatusCode(400);
  175.                     $response->setContent('Unauthorized header '.$header);
  176.                     break;
  177.                 }
  178.             }
  179.         }
  181.         return $response;
  182.     }
  184.     protected function checkOrigin(Request $request, array $options)
  185.     {
  186.         // check origin
  187.         $origin $request->headers->get('Origin');
  189.         if ($options['allow_origin'] === true) return true;
  191.         if ($options['origin_regex'] === true) {
  192.             // origin regex matching
  193.             foreach($options['allow_origin'] as $originRegexp) {
  194.                 if (preg_match('{'.$originRegexp.'}i'$origin)) {
  195.                     return true;
  196.                 }
  197.             }
  198.         } else {
  199.             // old origin matching
  200.             if (in_array($origin$options['allow_origin'])) {
  201.                 return true;
  202.             }
  203.         }
  205.         return false;
  206.     }
  207. }