Skip to content

Commit

Permalink
FIX: Don't 403 error when origin is on CORS-disallowed (fixes silvers…
Browse files Browse the repository at this point in the history
  • Loading branch information
kinglozzer committed Mar 20, 2023
1 parent 13327fd commit 110394a
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions src/Controller.php
Original file line number Diff line number Diff line change
Expand Up @@ -184,17 +184,17 @@ public function addCorsHeaders(HTTPRequest $request, HTTPResponse $response): HT
return $response;
}

// Calculate origin
// Get origin - only one host name is allowed in the Allow-Origin header, so we must return the current origin
$origin = $this->getRequestOrigin($request);

// Check if valid
// Only output an Allow-Origin header if the current origin is a valid one
$allowedOrigins = (array)$corsConfig['Allow-Origin'];
$originAuthorised = $this->validateOrigin($origin, $allowedOrigins);
if (!$originAuthorised) {
$this->httpError(403, "Access Forbidden");
if ($this->validateOrigin($origin, $allowedOrigins)) {
// Ensure '*' is output if all origins are allowed, otherwise use current origin
$allowedOrigin = $corsConfig['Allow-Origin'] === '*' ? '*' : $origin;
$response->addHeader('Access-Control-Allow-Origin', $allowedOrigin);
}

$response->addHeader('Access-Control-Allow-Origin', $origin);
$response->addHeader('Access-Control-Allow-Headers', $corsConfig['Allow-Headers']);
$response->addHeader('Access-Control-Allow-Methods', $corsConfig['Allow-Methods']);
$response->addHeader('Access-Control-Max-Age', $corsConfig['Max-Age']);
Expand Down

0 comments on commit 110394a

Please sign in to comment.