allow origin feature proposal for app-ends

[pokemonhan]

I have two ends web-ends and application-ends. web-ends has origin but application-ends has no origin. for example application ends are start with url

'paths' => [ 'app-api/',//for application ends apk and app etc. 'backend-api/',//for web-ends 'merchant-api/',//for web-ends 'h5-api/',//for web-end ],

web-ends are request from their sites with each domain so each of them has origin and referer fields in header. but apk and app ends are request directly to api (urls start with app-api) so they have no origin and referer fields. so I want to proposal feature for app-ends. It is able to possible to make white lists to allow origin if it is request from application to app-api with allow origin *, but other-ends are just allowed with specific origin configure inside

'allowed_origins' => [ 'http://h5.jianghu.local', 'http://madmin.jianghu.local', 'http://cadmin.jianghu.local', ],

[barryvdh]

This is currently not possible. If this is a popular request, we could look into creating a callback for the allowOrigins method or something.

[eac0n]

If such callback would allow to dynamically set the allowed_origins it would possibly also solve this recently closed issue: #328

[audunru]

https://github.com/spatie/laravel-cors has/had a feature where the loading of the config was handled by a class, and a property in the config defined which class to use.

So in cors.php in that package, you would change

cors_profile' => Spatie\Cors\CorsProfile\DefaultProfile::class,

to

cors_profile' => App\Http\CustomCorsProfile::class,

and write your own implementation of the default profile,

My profile when I was using the spatie package used to look like this, it would return an array of allowed origins that the user could configure themselves.

namespace App\Http\Cors;

use Illuminate\Support\Facades\App;
use Spatie\Cors\CorsProfile\DefaultProfile;

class CompanyCorsProfile extends DefaultProfile
{
    public function allowOrigins(): array
    {
        if (request()->route()->hasParameter('company')) {
            return array_merge(
                [App::isLocal() ? 'http://localhost:3000' : config('app.url')],
                request()->company->allowed_origins
            );
        }

        return parent::allowOrigins();
    }
}

I think for now I'll go with the answer in the other issue.

[matt-allan]

Hi, I've got a similar issue. In my case I'm serving a single app on multiple domains and I need to filter the allowed_origins based on the domain the app is being loaded from. For example, I want to allow:

a.test -> app.a.test b.test -> app.b.test

... but not:

a.test -> app.b.test b.test -> app.a.test

Between the CorsService using a private property for options and the cors.php config being remapped in the CorsServiceProvider, it's rather difficult to update the options dynamically at runtime.

[djohnston08]

I second the message above about the solution in the spatie package. Due to using wkWebView in a Cordova app, requests come in with Origin => file://. Previously, with the spatie package, I could just point the mobile app at a subdomain that also served the API, but check the host and if it was the subdomain requested for mobile access then override the allowed_hosts to ['*']. We desperately need something to be able to configure options dynamically at runtime or this becomes a major hurdle in upgrading Laravel versions as well.