jhouxatjvx
commented
9 months ago Can you explain what this feature would do? I thought adding Access-Control-Allow-Origin header is something done by webserver (apache/nginx)
Closed DonutsNL closed 2 months ago
jhouxatjvx
commented
9 months ago Can you explain what this feature would do? I thought adding Access-Control-Allow-Origin header is something done by webserver (apache/nginx)
DonutsNL
commented
9 months ago CORS can be handled from PHP as well.
The general idea is to extract the domain information from the idp url config and generate the CORS header using this information.
We can use the php header() function in conjunction with the $_SERVER to figure out if the browser is performing (http OPTIONS request) a preflight check and respond with the correct CORS headers. This logic should be added to the assertion function where the idp is redirecting the user.
https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
jhouxatjvx
commented
9 months ago Ok I think I see. So it has the same effect as if you had manually configured the apache server to respond with CORS headers for requests that came from the IDP Domain. But having PHP figure it out and add the headers automatically from the plugin configuration saves you from having to configure apache to do it. Is this correct?
DonutsNL
commented
9 months ago It is, it also prevents configuration mistakes and typo's and allows us to validate the urls and check if they are valid.
It also prevents the Access-Control-Allow-Origin: * config if you want to use multiple external sources, which is basicly the same as not implementing CORS and therefor less secure.
Implement Access-Control-Allow-Origin: https://idp.domain header for CORS enabled environments.