search

flightphp / core

An extensible micro-framework for PHP
https://docs.flightphp.com
MIT License
2.6k stars 407 forks source link

CORS - cross origin request not working. #425

Closed TrickTrackers closed 5 months ago

TrickTrackers commented 3 years ago

My .htaccess file

RewriteEngine On

Header set Access-Control-Allow-Origin * Header set Access-Control-Allow-Credentials true

RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ index.php [QSA,L]

When i try to access my api from other host or port, CORS issue is coming. Please any one help on this.

pierresh commented 3 years ago

Here is the code I use in my index.php (took from here). It works well whatever the host and the port.

if (isset($_SERVER['HTTP_ORIGIN'])) {
    header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
    header('Access-Control-Allow-Credentials: true');
    header('Access-Control-Max-Age: 86400');
}

if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
    if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'])) {
        header(
            'Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS'
        );
    }
    if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) {
        header(
            "Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}"
        );
    }
    exit(0);
}
n0nag0n commented 5 months ago

I'd like to implement something like this in the framework. It's meant to be an API framework and it's pretty common to do CORS stuff, esp with Javascript-y things.

n0nag0n commented 5 months ago

Another link to get some ideas from to set up CORS with security. https://stackoverflow.com/questions/8719276/cross-origin-request-headerscors-with-php-headers

n0nag0n commented 5 months ago

@fadrian06 @krmu One of you could easily do this one. I was thinking of maybe adding a class called Cors or something in the util/ folder and then you could add some of these headers via the Flight::app()->response->header('cors header', 'value'); or something. That would be nice cause then the headers wouldn't be set before the page is rendered or body is output. That'd be the way to go.

n0nag0n commented 5 months ago

Added this example to the new security page in the docs. https://docs.flightphp.com/learn/security

pierresh commented 5 months ago

Added this example to the new security page in the docs. https://docs.flightphp.com/learn/security

Hello,

I believe this example is not very good because it simply de-activates the CORS functionality. I used to do that way before but some of my customers did penetration tests and found this as a vulnerability. It is much cleaner to allow a whitelist and check if the HTTP_ORIGIN is one of the allowed values.

I gave an example of my new approach -which passes my customers' penetration tests- here: https://github.com/flightphp/core/issues/486

n0nag0n commented 5 months ago

Noted and fixed :) I included this one as an example.....but showing them proper examples is better. I was moving too fast and didn't think through it. My bad!