vendor/nelmio/cors-bundle/EventListener/CorsListener.php line 59

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the NelmioCorsBundle.
  5.  *
  6.  * (c) Nelmio <hello@nelm.io>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Nelmio\CorsBundle\EventListener;
  14. use Nelmio\CorsBundle\Options\ResolverInterface;
  15. use Psr\Log\LoggerInterface;
  16. use Psr\Log\NullLogger;
  17. use Symfony\Component\HttpFoundation\Request;
  18. use Symfony\Component\HttpFoundation\Response;
  19. use Symfony\Component\HttpKernel\Event\RequestEvent;
  20. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  21. use Symfony\Component\HttpKernel\HttpKernelInterface;
  23. /**
  24.  * Adds CORS headers and handles pre-flight requests
  25.  *
  26.  * @author Jordi Boggiano <j.boggiano@seld.be>
  27.  */
  28. class CorsListener
  29. {
  30.     const SHOULD_ALLOW_ORIGIN_ATTR '_nelmio_cors_should_allow_origin';
  31.     const SHOULD_FORCE_ORIGIN_ATTR '_nelmio_cors_should_force_origin';
  33.     /**
  34.      * Simple headers as defined in the spec should always be accepted
  35.      */
  36.     protected static $simpleHeaders = [
  37.         'accept',
  38.         'accept-language',
  39.         'content-language',
  40.         'origin',
  41.     ];
  43.     /** @var ResolverInterface */
  44.     protected $configurationResolver;
  46.     /** @var LoggerInterface */
  47.     private $logger;
  49.     public function __construct(ResolverInterface $configurationResolver, ?LoggerInterface $logger null)
  50.     {
  51.         $this->configurationResolver $configurationResolver;
  53.         if (null === $logger) {
  54.             $logger = new NullLogger();
  55.         }
  56.         $this->logger $logger;
  57.     }
  59.     public function onKernelRequest(RequestEvent $event): void
  60.     {
  61.         if (HttpKernelInterface::MAIN_REQUEST !== $event->getRequestType()) {
  62.             $this->logger->debug('Not a master type request, skipping CORS checks.');
  64.             return;
  65.         }
  67.         $request $event->getRequest();
  69.         if (!$options $this->configurationResolver->getOptions($request)) {
  70.             $this->logger->debug('Could not get options for request, skipping CORS checks.');
  71.             return;
  72.         }
  74.         // if the "forced_allow_origin_value" option is set, add a listener which will set or override the "Access-Control-Allow-Origin" header
  75.         if (!empty($options['forced_allow_origin_value'])) {
  76.             $this->logger->debug(sprintf(
  77.                 "The 'forced_allow_origin_value' option is set to '%s', adding a listener to set or override the 'Access-Control-Allow-Origin' header.",
  78.                 $options['forced_allow_origin_value']
  79.             ));
  81.             $request->attributes->set(self::SHOULD_FORCE_ORIGIN_ATTRtrue);
  82.         }
  84.         // skip if not a CORS request
  85.         if (!$request->headers->has('Origin')) {
  86.             $this->logger->debug("Request does not have 'Origin' header, skipping CORS.");
  88.             return;
  89.         }
  91.         if ($options['skip_same_as_origin'] && $request->headers->get('Origin') === $request->getSchemeAndHttpHost()) {
  92.             $this->logger->debug("The 'Origin' header of the request equals the scheme and host the request was sent to, skipping CORS.");
  94.             return;
  95.         }
  97.         // perform preflight checks
  98.         if ('OPTIONS' === $request->getMethod() &&
  99.             ($request->headers->has('Access-Control-Request-Method') ||
  100.                 $request->headers->has('Access-Control-Request-Private-Network'))
  101.         ) {
  102.             $this->logger->debug("Request is a preflight check, setting event response now.");
  104.             $event->setResponse($this->getPreflightResponse($request$options));
  106.             return;
  107.         }
  109.         if (!$this->checkOrigin($request$options)) {
  110.             $this->logger->debug("Origin check failed.");
  112.             return;
  113.         }
  115.         $this->logger->debug("Origin is allowed, proceed with adding CORS response headers.");
  117.         $request->attributes->set(self::SHOULD_ALLOW_ORIGIN_ATTRtrue);
  118.     }
  120.     public function onKernelResponse(ResponseEvent $event): void
  121.     {
  122.         if (HttpKernelInterface::MAIN_REQUEST !== $event->getRequestType()) {
  123.             $this->logger->debug("Not a master type request, skip adding CORS response headers.");
  125.             return;
  126.         }
  128.         $request $event->getRequest();
  130.         $shouldAllowOrigin $request->attributes->getBoolean(self::SHOULD_ALLOW_ORIGIN_ATTR);
  131.         $shouldForceOrigin $request->attributes->getBoolean(self::SHOULD_FORCE_ORIGIN_ATTR);
  133.         if (!$shouldAllowOrigin && !$shouldForceOrigin) {
  134.             $this->logger->debug("The origin should not be allowed and not be forced, skip adding CORS response headers.");
  136.             return;
  137.         }
  139.         if (!$options $this->configurationResolver->getOptions($request)) {
  140.             $this->logger->debug("Could not resolve options for request, skip adding CORS response headers.");
  142.             return;
  143.         }
  145.         if ($shouldAllowOrigin) {
  146.             $response $event->getResponse();
  147.             // add CORS response headers
  148.             $origin $request->headers->get('Origin');
  150.             $this->logger->debug(sprintf("Setting 'Access-Control-Allow-Origin' response header to '%s'."$origin));
  152.             $response->headers->set('Access-Control-Allow-Origin'$origin);
  154.             if ($options['allow_credentials']) {
  155.                 $this->logger->debug("Setting 'Access-Control-Allow-Credentials' to 'true'.");
  157.                 $response->headers->set('Access-Control-Allow-Credentials''true');
  158.             }
  159.             if ($options['expose_headers']) {
  160.                 $headers strtolower(implode(', '$options['expose_headers']));
  162.                 $this->logger->debug(sprintf("Setting 'Access-Control-Expose-Headers' response header to '%s'."$headers));
  164.                 $response->headers->set('Access-Control-Expose-Headers'$headers);
  165.             }
  166.         }
  168.         if ($shouldForceOrigin) {
  169.             $this->logger->debug(sprintf("Setting 'Access-Control-Allow-Origin' response header to '%s'."$options['forced_allow_origin_value']));
  171.             $event->getResponse()->headers->set('Access-Control-Allow-Origin'$options['forced_allow_origin_value']);
  172.         }
  173.     }
  175.     protected function getPreflightResponse(Request $request, array $options): Response
  176.     {
  177.         $response = new Response();
  178.         $response->setVary(['Origin']);
  180.         if ($options['allow_credentials']) {
  181.             $this->logger->debug("Setting 'Access-Control-Allow-Credentials' response header to 'true'.");
  183.             $response->headers->set('Access-Control-Allow-Credentials''true');
  184.         }
  185.         if ($options['allow_methods']) {
  186.             $methods implode(', '$options['allow_methods']);
  188.             $this->logger->debug(sprintf("Setting 'Access-Control-Allow-Methods' response header to '%s'."$methods));
  190.             $response->headers->set('Access-Control-Allow-Methods'$methods);
  191.         }
  192.         if ($options['allow_headers']) {
  193.             $headers $this->isWildcard($options'allow_headers')
  194.                 ? $request->headers->get('Access-Control-Request-Headers')
  195.                 : implode(', '$options['allow_headers']);
  197.             if ($headers) {
  198.                 $this->logger->debug(sprintf("Setting 'Access-Control-Allow-Headers' response header to '%s'."$headers));
  200.                 $response->headers->set('Access-Control-Allow-Headers'$headers);
  201.             }
  202.         }
  203.         if ($options['max_age']) {
  204.             $this->logger->debug(sprintf("Setting 'Access-Control-Max-Age' response header to '%d'."$options['max_age']));
  206.             $response->headers->set('Access-Control-Max-Age'$options['max_age']);
  207.         }
  209.         if (!$this->checkOrigin($request$options)) {
  210.             $this->logger->debug("Removing 'Access-Control-Allow-Origin' response header.");
  212.             $response->headers->remove('Access-Control-Allow-Origin');
  214.             return $response;
  215.         }
  217.         $origin $request->headers->get('Origin');
  219.         $this->logger->debug(sprintf("Setting 'Access-Control-Allow-Origin' response header to '%s'"$origin));
  221.         $response->headers->set('Access-Control-Allow-Origin'$origin);
  223.         // check private network access
  224.         if ($request->headers->has('Access-Control-Request-Private-Network')
  225.             && strtolower($request->headers->get('Access-Control-Request-Private-Network')) === 'true'
  226.         ) {
  227.             if ($options['allow_private_network']) {
  228.                 $this->logger->debug("Setting 'Access-Control-Allow-Private-Network' response header to 'true'.");
  230.                 $response->headers->set('Access-Control-Allow-Private-Network''true');
  231.             } else {
  232.                 $response->setStatusCode(400);
  233.                 $response->setContent('Private Network Access is not allowed.');
  234.             }
  235.         }
  237.         // check request method
  238.         $method strtoupper($request->headers->get('Access-Control-Request-Method'));
  239.         if (!in_array($method$options['allow_methods'], true)) {
  240.             $this->logger->debug(sprintf("Method '%s' is not allowed."$method));
  242.             $response->setStatusCode(405);
  244.             return $response;
  245.         }
  247.         /**
  248.          * We have to allow the header in the case-set as we received it by the client.
  249.          * Firefox f.e. sends the LINK method as "Link", and we have to allow it like this or the browser will deny the
  250.          * request.
  251.          */
  252.         if (!in_array($request->headers->get('Access-Control-Request-Method'), $options['allow_methods'], true)) {
  253.             $options['allow_methods'][] = $request->headers->get('Access-Control-Request-Method');
  254.             $response->headers->set('Access-Control-Allow-Methods'implode(', '$options['allow_methods']));
  255.         }
  257.         // check request headers
  258.         $headers $request->headers->get('Access-Control-Request-Headers');
  259.         if ($headers && !$this->isWildcard($options'allow_headers')) {
  260.             $headers strtolower(trim($headers));
  261.             foreach (preg_split('{, *}'$headers) as $header) {
  262.                 if (in_array($headerself::$simpleHeaderstrue)) {
  263.                     continue;
  264.                 }
  265.                 if (!in_array($header$options['allow_headers'], true)) {
  266.                     $sanitizedMessage htmlentities('Unauthorized header '.$headerENT_QUOTES'UTF-8');
  267.                     $response->setStatusCode(400);
  268.                     $response->setContent($sanitizedMessage);
  269.                     break;
  270.                 }
  271.             }
  272.         }
  274.         return $response;
  275.     }
  277.     protected function checkOrigin(Request $request, array $options): bool
  278.     {
  279.         // check origin
  280.         $origin $request->headers->get('Origin');
  282.         if ($this->isWildcard($options'allow_origin')) {
  283.             return true;
  284.         }
  286.         if ($options['origin_regex'] === true) {
  287.             // origin regex matching
  288.             foreach ($options['allow_origin'] as $originRegexp) {
  289.                 $this->logger->debug(sprintf("Matching origin regex '%s' to origin '%s'."$originRegexp$origin));
  291.                 if (preg_match('{'.$originRegexp.'}i'$origin)) {
  292.                     $this->logger->debug(sprintf("Origin regex '%s' matches origin '%s'."$originRegexp$origin));
  294.                     return true;
  295.                 }
  296.             }
  297.         } else {
  298.             // old origin matching
  299.             if (in_array($origin$options['allow_origin'])) {
  300.                 $this->logger->debug(sprintf("Origin '%s' is allowed."$origin));
  302.                 return true;
  303.             }
  304.         }
  306.         $this->logger->debug(sprintf("Origin '%s' is not allowed."$origin));
  308.         return false;
  309.     }
  311.     private function isWildcard(array $optionsstring $option): bool
  312.     {
  313.         $result $options[$option] === true || (is_array($options[$option]) && in_array('*'$options[$option]));
  315.         $this->logger->debug(sprintf("Option '%s' is %s a wildcard."$option$result '' 'not'));
  317.         return $result;
  318.     }
  319. }