vendor/nelmio/cors-bundle/EventListener/CorsListener.php line 59

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the NelmioCorsBundle.
  5.  *
  6.  * (c) Nelmio <hello@nelm.io>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Nelmio\CorsBundle\EventListener;
  14. use Nelmio\CorsBundle\Options\ResolverInterface;
  15. use Psr\Log\LoggerInterface;
  16. use Psr\Log\NullLogger;
  17. use Symfony\Component\HttpFoundation\Request;
  18. use Symfony\Component\HttpFoundation\Response;
  19. use Symfony\Component\HttpKernel\Event\RequestEvent;
  20. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  21. use Symfony\Component\HttpKernel\HttpKernelInterface;
  23. /**
  24.  * Adds CORS headers and handles pre-flight requests
  25.  *
  26.  * @author Jordi Boggiano <j.boggiano@seld.be>
  27.  */
  28. class CorsListener
  29. {
  30.     const SHOULD_ALLOW_ORIGIN_ATTR '_nelmio_cors_should_allow_origin';
  31.     const SHOULD_FORCE_ORIGIN_ATTR '_nelmio_cors_should_force_origin';
  33.     /**
  34.      * Simple headers as defined in the spec should always be accepted
  35.      */
  36.     protected static $simpleHeaders = [
  37.         'accept',
  38.         'accept-language',
  39.         'content-language',
  40.         'origin',
  41.     ];
  43.     /** @var ResolverInterface */
  44.     protected $configurationResolver;
  46.     /** @var LoggerInterface */
  47.     private $logger;
  49.     public function __construct(ResolverInterface $configurationResolver, ?LoggerInterface $logger null)
  50.     {
  51.         $this->configurationResolver $configurationResolver;
  53.         if (null === $logger) {
  54.             $logger = new NullLogger();
  55.         }
  56.         $this->logger $logger;
  57.     }
  59.     public function onKernelRequest(RequestEvent $event): void
  60.     {
  61.         if (HttpKernelInterface::MASTER_REQUEST !== $event->getRequestType()) {
  62.             $this->logger->debug('Not a master type request, skipping CORS checks.');
  64.             return;
  65.         }
  67.         $request $event->getRequest();
  69.         if (!$options $this->configurationResolver->getOptions($request)) {
  70.             $this->logger->debug('Could not get options for request, skipping CORS checks.');
  71.             return;
  72.         }
  74.         // if the "forced_allow_origin_value" option is set, add a listener which will set or override the "Access-Control-Allow-Origin" header
  75.         if (!empty($options['forced_allow_origin_value'])) {
  76.             $this->logger->debug(sprintf(
  77.                 "The 'forced_allow_origin_value' option is set to '%s', adding a listener to set or override the 'Access-Control-Allow-Origin' header.",
  78.                 $options['forced_allow_origin_value']
  79.             ));
  81.             $request->attributes->set(self::SHOULD_FORCE_ORIGIN_ATTRtrue);
  82.         }
  84.         // skip if not a CORS request
  85.         if (!$request->headers->has('Origin')) {
  86.             $this->logger->debug("Request does not have 'Origin' header, skipping CORS.");
  88.             return;
  89.         }
  91.         if ($options['skip_same_as_origin'] && $request->headers->get('Origin') === $request->getSchemeAndHttpHost()) {
  92.             $this->logger->debug("The 'Origin' header of the request equals the scheme and host the request was sent to, skipping CORS.");
  94.             return;
  95.         }
  97.         // perform preflight checks
  98.         if ('OPTIONS' === $request->getMethod() && $request->headers->has('Access-Control-Request-Method')) {
  99.             $this->logger->debug("Request is a preflight check, setting event response now.");
  101.             $event->setResponse($this->getPreflightResponse($request$options));
  103.             return;
  104.         }
  106.         if (!$this->checkOrigin($request$options)) {
  107.             $this->logger->debug("Origin check failed.");
  109.             return;
  110.         }
  112.         $this->logger->debug("Origin is allowed, proceed with adding CORS response headers.");
  114.         $request->attributes->set(self::SHOULD_ALLOW_ORIGIN_ATTRtrue);
  115.     }
  117.     public function onKernelResponse(ResponseEvent $event): void
  118.     {
  119.         if (HttpKernelInterface::MASTER_REQUEST !== $event->getRequestType()) {
  120.             $this->logger->debug("Not a master type request, skip adding CORS response headers.");
  122.             return;
  123.         }
  125.         $request $event->getRequest();
  127.         $shouldAllowOrigin $request->attributes->getBoolean(self::SHOULD_ALLOW_ORIGIN_ATTR);
  128.         $shouldForceOrigin $request->attributes->getBoolean(self::SHOULD_FORCE_ORIGIN_ATTR);
  130.         if (!$shouldAllowOrigin && !$shouldForceOrigin) {
  131.             $this->logger->debug("The origin should not be allowed and not be forced, skip adding CORS response headers.");
  133.             return;
  134.         }
  136.         if (!$options $this->configurationResolver->getOptions($request)) {
  137.             $this->logger->debug("Could not resolve options for request, skip adding CORS response headers.");
  139.             return;
  140.         }
  142.         if ($shouldAllowOrigin) {
  143.             $response $event->getResponse();
  144.             // add CORS response headers
  145.             $origin $request->headers->get('Origin');
  147.             $this->logger->debug(sprintf("Setting 'Access-Control-Allow-Origin' response header to '%s'."$origin));
  149.             $response->headers->set('Access-Control-Allow-Origin'$origin);
  151.             if ($options['allow_credentials']) {
  152.                 $this->logger->debug("Setting 'Access-Control-Allow-Credentials' to 'true'.");
  154.                 $response->headers->set('Access-Control-Allow-Credentials''true');
  155.             }
  156.             if ($options['expose_headers']) {
  157.                 $headers strtolower(implode(', '$options['expose_headers']));
  159.                 $this->logger->debug(sprintf("Setting 'Access-Control-Expose-Headers' response header to '%s'."$headers));
  161.                 $response->headers->set('Access-Control-Expose-Headers'$headers);
  162.             }
  163.         }
  165.         if ($shouldForceOrigin) {
  166.             $this->logger->debug(sprintf("Setting 'Access-Control-Allow-Origin' response header to '%s'."$options['forced_allow_origin_value']));
  168.             $event->getResponse()->headers->set('Access-Control-Allow-Origin'$options['forced_allow_origin_value']);
  169.         }
  170.     }
  172.     protected function getPreflightResponse(Request $request, array $options): Response
  173.     {
  174.         $response = new Response();
  175.         $response->setVary(['Origin']);
  177.         if ($options['allow_credentials']) {
  178.             $this->logger->debug("Setting 'Access-Control-Allow-Credentials' response header to 'true'.");
  180.             $response->headers->set('Access-Control-Allow-Credentials''true');
  181.         }
  182.         if ($options['allow_methods']) {
  183.             $methods implode(', '$options['allow_methods']);
  185.             $this->logger->debug(sprintf("Setting 'Access-Control-Allow-Methods' response header to '%s'."$methods));
  187.             $response->headers->set('Access-Control-Allow-Methods'$methods);
  188.         }
  189.         if ($options['allow_headers']) {
  190.             $headers $this->isWildcard($options'allow_headers')
  191.                 ? $request->headers->get('Access-Control-Request-Headers')
  192.                 : implode(', '$options['allow_headers']);
  194.             if ($headers) {
  195.                 $this->logger->debug(sprintf("Setting 'Access-Control-Allow-Headers' response header to '%s'."$headers));
  197.                 $response->headers->set('Access-Control-Allow-Headers'$headers);
  198.             }
  199.         }
  200.         if ($options['max_age']) {
  201.             $this->logger->debug(sprintf("Setting 'Access-Control-Max-Age' response header to '%d'."$options['max_age']));
  203.             $response->headers->set('Access-Control-Max-Age'$options['max_age']);
  204.         }
  206.         if (!$this->checkOrigin($request$options)) {
  207.             $this->logger->debug("Removing 'Access-Control-Allow-Origin' response header.");
  209.             $response->headers->remove('Access-Control-Allow-Origin');
  211.             return $response;
  212.         }
  214.         $origin $request->headers->get('Origin');
  216.         $this->logger->debug(sprintf("Setting 'Access-Control-Allow-Origin' response header to '%s'"$origin));
  218.         $response->headers->set('Access-Control-Allow-Origin'$origin);
  220.         // check request method
  221.         $method strtoupper($request->headers->get('Access-Control-Request-Method'));
  222.         if (!in_array($method$options['allow_methods'], true)) {
  223.             $this->logger->debug(sprintf("Method '%s' is not allowed."$method));
  225.             $response->setStatusCode(405);
  227.             return $response;
  228.         }
  230.         /**
  231.          * We have to allow the header in the case-set as we received it by the client.
  232.          * Firefox f.e. sends the LINK method as "Link", and we have to allow it like this or the browser will deny the
  233.          * request.
  234.          */
  235.         if (!in_array($request->headers->get('Access-Control-Request-Method'), $options['allow_methods'], true)) {
  236.             $options['allow_methods'][] = $request->headers->get('Access-Control-Request-Method');
  237.             $response->headers->set('Access-Control-Allow-Methods'implode(', '$options['allow_methods']));
  238.         }
  240.         // check request headers
  241.         $headers $request->headers->get('Access-Control-Request-Headers');
  242.         if ($headers && !$this->isWildcard($options'allow_headers')) {
  243.             $headers strtolower(trim($headers));
  244.             foreach (preg_split('{, *}'$headers) as $header) {
  245.                 if (in_array($headerself::$simpleHeaderstrue)) {
  246.                     continue;
  247.                 }
  248.                 if (!in_array($header$options['allow_headers'], true)) {
  249.                     $sanitizedMessage htmlentities('Unauthorized header '.$headerENT_QUOTES'UTF-8');
  250.                     $response->setStatusCode(400);
  251.                     $response->setContent($sanitizedMessage);
  252.                     break;
  253.                 }
  254.             }
  255.         }
  257.         return $response;
  258.     }
  260.     protected function checkOrigin(Request $request, array $options): bool
  261.     {
  262.         // check origin
  263.         $origin $request->headers->get('Origin');
  265.         if ($this->isWildcard($options'allow_origin')) {
  266.             return true;
  267.         }
  269.         if ($options['origin_regex'] === true) {
  270.             // origin regex matching
  271.             foreach ($options['allow_origin'] as $originRegexp) {
  272.                 $this->logger->debug(sprintf("Matching origin regex '%s' to origin '%s'."$originRegexp$origin));
  274.                 if (preg_match('{'.$originRegexp.'}i'$origin)) {
  275.                     $this->logger->debug(sprintf("Origin regex '%s' matches origin '%s'."$originRegexp$origin));
  277.                     return true;
  278.                 }
  279.             }
  280.         } else {
  281.             // old origin matching
  282.             if (in_array($origin$options['allow_origin'])) {
  283.                 $this->logger->debug(sprintf("Origin '%s' is allowed."$origin));
  285.                 return true;
  286.             }
  287.         }
  289.         $this->logger->debug(sprintf("Origin '%s' is not allowed."$origin));
  291.         return false;
  292.     }
  294.     private function isWildcard(array $optionsstring $option): bool
  295.     {
  296.         $result $options[$option] === true || (is_array($options[$option]) && in_array('*'$options[$option]));
  298.         $this->logger->debug(sprintf("Option '%s' is %s a wildcard."$option$result '' 'not'));
  300.         return $result;
  301.     }
  302. }