vendor/nelmio/cors-bundle/EventListener/CorsListener.php line 85

  1. <?php
  3. /*
  4.  * This file is part of the NelmioCorsBundle.
  5.  *
  6.  * (c) Nelmio <hello@nelm.io>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Nelmio\CorsBundle\EventListener;
  14. use Nelmio\CorsBundle\Options\ResolverInterface;
  15. use Symfony\Component\HttpFoundation\Request;
  16. use Symfony\Component\HttpFoundation\Response;
  17. use Symfony\Component\HttpKernel\Event\RequestEvent;
  18. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  19. use Symfony\Component\HttpKernel\HttpKernelInterface;
  21. /**
  22.  * Adds CORS headers and handles pre-flight requests
  23.  *
  24.  * @author Jordi Boggiano <j.boggiano@seld.be>
  25.  */
  26. class CorsListener
  27. {
  28.     const SHOULD_ALLOW_ORIGIN_ATTR '_nelmio_cors_should_allow_origin';
  29.     const SHOULD_FORCE_ORIGIN_ATTR '_nelmio_cors_should_force_origin';
  31.     /**
  32.      * Simple headers as defined in the spec should always be accepted
  33.      */
  34.     protected static $simpleHeaders = [
  35.         'accept',
  36.         'accept-language',
  37.         'content-language',
  38.         'origin',
  39.     ];
  41.     /** @var ResolverInterface */
  42.     protected $configurationResolver;
  44.     public function __construct(ResolverInterface $configurationResolver)
  45.     {
  46.         $this->configurationResolver $configurationResolver;
  47.     }
  49.     public function onKernelRequest(RequestEvent $event): void
  50.     {
  51.         if (HttpKernelInterface::MASTER_REQUEST !== $event->getRequestType()) {
  52.             return;
  53.         }
  55.         $request $event->getRequest();
  57.         if (!$options $this->configurationResolver->getOptions($request)) {
  58.             return;
  59.         }
  61.         // if the "forced_allow_origin_value" option is set, add a listener which will set or override the "Access-Control-Allow-Origin" header
  62.         if (!empty($options['forced_allow_origin_value'])) {
  63.             $request->attributes->set(self::SHOULD_FORCE_ORIGIN_ATTRtrue);
  64.         }
  66.         // skip if not a CORS request
  67.         if (!$request->headers->has('Origin') || $request->headers->get('Origin') === $request->getSchemeAndHttpHost()) {
  68.             return;
  69.         }
  71.         // perform preflight checks
  72.         if ('OPTIONS' === $request->getMethod() && $request->headers->has('Access-Control-Request-Method')) {
  73.             $event->setResponse($this->getPreflightResponse($request$options));
  75.             return;
  76.         }
  78.         if (!$this->checkOrigin($request$options)) {
  79.             return;
  80.         }
  82.         $request->attributes->set(self::SHOULD_ALLOW_ORIGIN_ATTRtrue);
  83.     }
  85.     public function onKernelResponse(ResponseEvent $event): void
  86.     {
  87.         if (HttpKernelInterface::MASTER_REQUEST !== $event->getRequestType()) {
  88.             return;
  89.         }
  91.         $request $event->getRequest();
  93.         $shouldAllowOrigin $request->attributes->getBoolean(self::SHOULD_ALLOW_ORIGIN_ATTR);
  94.         $shouldForceOrigin $request->attributes->getBoolean(self::SHOULD_FORCE_ORIGIN_ATTR);
  96.         if (!$shouldAllowOrigin && !$shouldForceOrigin) {
  97.             return;
  98.         }
  100.         if (!$options $this->configurationResolver->getOptions($request)) {
  101.             return;
  102.         }
  104.         if ($shouldAllowOrigin) {
  105.             $response $event->getResponse();
  106.             // add CORS response headers
  107.             $response->headers->set('Access-Control-Allow-Origin'$request->headers->get('Origin'));
  108.             if ($options['allow_credentials']) {
  109.                 $response->headers->set('Access-Control-Allow-Credentials''true');
  110.             }
  111.             if ($options['expose_headers']) {
  112.                 $response->headers->set('Access-Control-Expose-Headers'strtolower(implode(', '$options['expose_headers'])));
  113.             }
  114.         }
  116.         if ($shouldForceOrigin) {
  117.             $event->getResponse()->headers->set('Access-Control-Allow-Origin'$options['forced_allow_origin_value']);
  118.         }
  119.     }
  121.     protected function getPreflightResponse(Request $request, array $options): Response
  122.     {
  123.         $response = new Response();
  124.         $response->setVary(['Origin']);
  126.         if ($options['allow_credentials']) {
  127.             $response->headers->set('Access-Control-Allow-Credentials''true');
  128.         }
  129.         if ($options['allow_methods']) {
  130.             $response->headers->set('Access-Control-Allow-Methods'implode(', '$options['allow_methods']));
  131.         }
  132.         if ($options['allow_headers']) {
  133.             $headers $this->isWildcard($options'allow_headers')
  134.                 ? $request->headers->get('Access-Control-Request-Headers')
  135.                 : implode(', '$options['allow_headers']);
  137.             if ($headers) {
  138.                 $response->headers->set('Access-Control-Allow-Headers'$headers);
  139.             }
  140.         }
  141.         if ($options['max_age']) {
  142.             $response->headers->set('Access-Control-Max-Age'$options['max_age']);
  143.         }
  145.         if (!$this->checkOrigin($request$options)) {
  146.             $response->headers->remove('Access-Control-Allow-Origin');
  148.             return $response;
  149.         }
  151.         $response->headers->set('Access-Control-Allow-Origin'$request->headers->get('Origin'));
  153.         // check request method
  154.         if (!in_array(strtoupper($request->headers->get('Access-Control-Request-Method')), $options['allow_methods'], true)) {
  155.             $response->setStatusCode(405);
  157.             return $response;
  158.         }
  160.         /**
  161.          * We have to allow the header in the case-set as we received it by the client.
  162.          * Firefox f.e. sends the LINK method as "Link", and we have to allow it like this or the browser will deny the
  163.          * request.
  164.          */
  165.         if (!in_array($request->headers->get('Access-Control-Request-Method'), $options['allow_methods'], true)) {
  166.             $options['allow_methods'][] = $request->headers->get('Access-Control-Request-Method');
  167.             $response->headers->set('Access-Control-Allow-Methods'implode(', '$options['allow_methods']));
  168.         }
  170.         // check request headers
  171.         $headers $request->headers->get('Access-Control-Request-Headers');
  172.         if ($headers && !$this->isWildcard($options'allow_headers')) {
  173.             $headers strtolower(trim($headers));
  174.             foreach (preg_split('{, *}'$headers) as $header) {
  175.                 if (in_array($headerself::$simpleHeaderstrue)) {
  176.                     continue;
  177.                 }
  178.                 if (!in_array($header$options['allow_headers'], true)) {
  179.                     $sanitizedMessage htmlentities('Unauthorized header '.$headerENT_QUOTES'UTF-8');
  180.                     $response->setStatusCode(400);
  181.                     $response->setContent($sanitizedMessage);
  182.                     break;
  183.                 }
  184.             }
  185.         }
  187.         return $response;
  188.     }
  190.     protected function checkOrigin(Request $request, array $options): bool
  191.     {
  192.         // check origin
  193.         $origin $request->headers->get('Origin');
  195.         if ($this->isWildcard($options'allow_origin')) {
  196.             return true;
  197.         }
  199.         if ($options['origin_regex'] === true) {
  200.             // origin regex matching
  201.             foreach ($options['allow_origin'] as $originRegexp) {
  202.                 if (preg_match('{'.$originRegexp.'}i'$origin)) {
  203.                     return true;
  204.                 }
  205.             }
  206.         } else {
  207.             // old origin matching
  208.             if (in_array($origin$options['allow_origin'])) {
  209.                 return true;
  210.             }
  211.         }
  213.         return false;
  214.     }
  216.     private function isWildcard(array $optionsstring $option): bool
  217.     {
  218.         return $options[$option] === true || (is_array($options[$option]) && in_array('*'$options[$option]));
  219.     }
  220. }