Issue #2853201 by hampercm, dawehner: [upstream] CORS breaks form submission unless allowed origins includes site's own host

2017-04-22 13:12:09 +01:00 · 2017-04-22 13:12:09 +01:00 · 453d552da9
parent f7520a2969
commit 453d552da9
3 changed files with 34 additions and 11 deletions
--- a/composer.lock
+++ b/composer.lock
@ -8,27 +8,36 @@
    "packages": [
        {
            "name": "asm89/stack-cors",
-            "version": "1.0.0",
+            "version": "1.1.0",
            "source": {
                "type": "git",
                "url": "https://github.com/asm89/stack-cors.git",
-                "reference": "3ae8ef219bb4c9a6caf857421719aa07fa7776cc"
+                "reference": "65ccbd455370f043c2e3b93482a3813603d68731"
            },
            "dist": {
                "type": "zip",
-                "url": "https://api.github.com/repos/asm89/stack-cors/zipball/3ae8ef219bb4c9a6caf857421719aa07fa7776cc",
-                "reference": "3ae8ef219bb4c9a6caf857421719aa07fa7776cc",
+                "url": "https://api.github.com/repos/asm89/stack-cors/zipball/65ccbd455370f043c2e3b93482a3813603d68731",
+                "reference": "65ccbd455370f043c2e3b93482a3813603d68731",
                "shasum": ""
            },
            "require": {
-                "php": ">=5.3.2",
-                "symfony/http-foundation": "~2.1|~3.0",
-                "symfony/http-kernel": "~2.1|~3.0"
+                "php": ">=5.5.9",
+                "symfony/http-foundation": "~2.7|~3.0",
+                "symfony/http-kernel": "~2.7|~3.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "^5.0 || ^4.8.10",
+                "squizlabs/php_codesniffer": "^2.3"
            },
            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.1-dev"
+                }
+            },
            "autoload": {
-                "psr-0": {
-                    "Asm89\\Stack": "src/"
+                "psr-4": {
+                    "Asm89\\Stack\\": "src/Asm89/Stack/"
                }
            },
            "notification-url": "https://packagist.org/downloads/",
@ -47,7 +56,7 @@
                "cors",
                "stack"
            ],
-            "time": "2016-08-01T12:05:04+00:00"
+            "time": "2017-04-11T20:03:41+00:00"
        },
        {
            "name": "composer/installers",
--- a/core/composer.json
+++ b/core/composer.json
@ -32,7 +32,7 @@
        "zendframework/zend-diactoros": "~1.1",
        "composer/semver": "~1.0",
        "paragonie/random_compat": "^1.0|^2.0",
-        "asm89/stack-cors": "~1.0"
+        "asm89/stack-cors": "~1.1"
    },
    "conflict": {
        "drush/drush": "<8.1.10"
--- a/core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php
+++ b/core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php
@ -2,6 +2,7 @@

 namespace Drupal\FunctionalTests\HttpKernel;

+use Drupal\Core\Url;
 use Drupal\Tests\BrowserTestBase;

 /**
@ -72,6 +73,19 @@ class CorsIntegrationTest extends BrowserTestBase {
    $this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
    $this->assertSession()->statusCodeEquals(200);
    $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
+
+    // Verify POST still functions with 'Origin' header set to site's domain.
+    $origin = \Drupal::request()->getSchemeAndHttpHost();
+
+    /** @var \GuzzleHttp\ClientInterface $httpClient */
+    $httpClient = $this->getSession()->getDriver()->getClient()->getClient();
+    $url = Url::fromUri('base:/test-page');
+    $response = $httpClient->request('POST', $url->setAbsolute()->toString(), [
+      'headers' => [
+        'Origin' => $origin,
+      ]
+    ]);
+    $this->assertEquals(200, $response->getStatusCode());
  }

 }