Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #3205688 by jedihe, mr.baileys, dpagini: Include allowedOriginsPatterns in default.services.yml (regex matching for CORS)

merge-requests/5033/head
Dave Long 2023-10-17 12:42:37 +02:00
parent 2784ef71b0
commit 08b493a202
No known key found for this signature in database
GPG Key ID: ED52AE211E142771
3 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/assets/scaffold/files/default.services.yml
View File

@ -214,6 +214,8 @@ parameters:
# Configure requests allowed from specific origins. Do not include trailing # Configure requests allowed from specific origins. Do not include trailing
# slashes with URLs. # slashes with URLs.
allowedOrigins: ['*'] allowedOrigins: ['*']
# Configure requests allowed from origins, matching against regex patterns.
allowedOriginsPatterns: []
# Sets the Access-Control-Expose-Headers header. # Sets the Access-Control-Expose-Headers header.
exposedHeaders: false exposedHeaders: false
# Sets the Access-Control-Max-Age header. # Sets the Access-Control-Max-Age header.

47
core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php
View File

@ -65,8 +65,55 @@ class CorsIntegrationTest extends BrowserTestBase {
$this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', '*'); $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', '*');
$this->assertSession()->responseHeaderNotContains('Vary', 'Origin'); $this->assertSession()->responseHeaderNotContains('Vary', 'Origin');
// Configure the CORS stack to match allowed origins using regex patterns.
$cors_config['allowedOrigins'] = [];
$cors_config['allowedOriginsPatterns'] = ['#^http://[a-z-]*\.valid.com$#'];
$this->setContainerParameter('cors.config', $cors_config);
$this->rebuildContainer();
// Fire a request from an origin that isn't allowed.
/** @var \Symfony\Component\HttpFoundation\Response $response */
$this->drupalGet('/test-page', [], ['Origin' => 'http://non-valid.com']);
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderDoesNotExist('Access-Control-Allow-Origin');
$this->assertSession()->responseHeaderContains('Vary', 'Origin');
// Specify a valid origin.
$this->drupalGet('/test-page', [], ['Origin' => 'http://sub-domain.valid.com']);
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://sub-domain.valid.com');
$this->assertSession()->responseHeaderContains('Vary', 'Origin');
// Test combining allowedOrigins and allowedOriginsPatterns.
$cors_config['allowedOrigins'] = ['http://domainA.com'];
$cors_config['allowedOriginsPatterns'] = ['#^http://domain[B-Z-]*\.com$#'];
$this->setContainerParameter('cors.config', $cors_config);
$this->rebuildContainer();
// Specify an origin that does not match allowedOrigins nor
// allowedOriginsPattern.
$this->drupalGet('/test-page', [], ['Origin' => 'http://non-valid.com']);
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderDoesNotExist('Access-Control-Allow-Origin');
$this->assertSession()->responseHeaderContains('Vary', 'Origin');
// Specify a valid origin that matches allowedOrigins.
$this->drupalGet('/test-page', [], ['Origin' => 'http://domainA.com']);
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://domainA.com');
$this->assertSession()->responseHeaderContains('Vary', 'Origin');
// Specify a valid origin that matches allowedOriginsPatterns.
$this->drupalGet('/test-page', [], ['Origin' => 'http://domainX.com']);
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://domainX.com');
$this->assertSession()->responseHeaderContains('Vary', 'Origin');
// Configure the CORS stack to allow a specific origin. // Configure the CORS stack to allow a specific origin.
$cors_config['allowedOrigins'] = ['http://example.com']; $cors_config['allowedOrigins'] = ['http://example.com'];
$cors_config['allowedOriginsPatterns'] = [];
$this->setContainerParameter('cors.config', $cors_config); $this->setContainerParameter('cors.config', $cors_config);
$this->rebuildContainer(); $this->rebuildContainer();

2
sites/default/default.services.yml
View File

@ -214,6 +214,8 @@ parameters:
# Configure requests allowed from specific origins. Do not include trailing # Configure requests allowed from specific origins. Do not include trailing
# slashes with URLs. # slashes with URLs.
allowedOrigins: ['*'] allowedOrigins: ['*']
# Configure requests allowed from origins, matching against regex patterns.
allowedOriginsPatterns: []
# Sets the Access-Control-Expose-Headers header. # Sets the Access-Control-Expose-Headers header.
exposedHeaders: false exposedHeaders: false
# Sets the Access-Control-Max-Age header. # Sets the Access-Control-Max-Age header.