search

jdesrosiers / silex-cors-provider

A silex service provider that adds CORS services to silex
MIT License
78 stars 25 forks source link

Access-Control-Allow-Origin returns 'null' for unauthorized origins #25

Closed moee closed 8 years ago

moee commented 8 years ago

Reproduction

  1. Allow requests from a specific origin only
$app->register(new CorsServiceProvider(), array(
    "cors.allowOrigin" => "http://foo.com",
));
  1. Make a request from a different origin

curl -X GET -H "Origin: http://bar.com" -I http://api

Expected result

No Access-Control-Allow-Origin is sent at all

Actual result

Access-Control-Allow-Origin is set to null

Remarks

There is a test that explicitly tests for this behavior. Therefore I'm not sure if this is intentional or not.

jdesrosiers commented 8 years ago

null is a valid and expected value for the Access-Control-Allow-Origin header [1]. To the best of my understanding, returning null is the proper way to respond to this request. The flow chart [2] indicates that an invalid origin does not make the request an invalid CORS request. Therefore, it should respond as a CORS request and list the domains that are allowed or null if there are none or the server doesn't want to say. This provider is designed not to give any information about allowed domains as a security measure, so requests from invalid domains always receive null.

[1] https://www.w3.org/TR/cors/#access-control-allow-origin-response-header [2] http://www.html5rocks.com/static/images/cors_server_flowchart.png

moee commented 8 years ago

That makes perfects sense then, I wasn't aware that this is the valid behavior. Thanks for the explanation.