Closed TrickTrackers closed 5 months ago
Here is the code I use in my index.php (took from here). It works well whatever the host and the port.
if (isset($_SERVER['HTTP_ORIGIN'])) {
header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age: 86400');
}
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'])) {
header(
'Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS'
);
}
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) {
header(
"Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}"
);
}
exit(0);
}
I'd like to implement something like this in the framework. It's meant to be an API framework and it's pretty common to do CORS stuff, esp with Javascript-y things.
Another link to get some ideas from to set up CORS with security. https://stackoverflow.com/questions/8719276/cross-origin-request-headerscors-with-php-headers
@fadrian06 @krmu One of you could easily do this one. I was thinking of maybe adding a class called Cors
or something in the util/
folder and then you could add some of these headers via the Flight::app()->response->header('cors header', 'value');
or something. That would be nice cause then the headers wouldn't be set before the page is rendered or body is output. That'd be the way to go.
Added this example to the new security page in the docs. https://docs.flightphp.com/learn/security
Added this example to the new security page in the docs. https://docs.flightphp.com/learn/security
Hello,
I believe this example is not very good because it simply de-activates the CORS functionality. I used to do that way before but some of my customers did penetration tests and found this as a vulnerability. It is much cleaner to allow a whitelist and check if the HTTP_ORIGIN is one of the allowed values.
I gave an example of my new approach -which passes my customers' penetration tests- here: https://github.com/flightphp/core/issues/486
Noted and fixed :) I included this one as an example.....but showing them proper examples is better. I was moving too fast and didn't think through it. My bad!
My .htaccess file
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ index.php [QSA,L]
When i try to access my api from other host or port, CORS issue is coming. Please any one help on this.