From 63e4037dc7f91526cf05d156864d8ca073060174 Mon Sep 17 00:00:00 2001 From: michalsn Date: Mon, 27 Jan 2025 08:35:47 +0100 Subject: [PATCH] fix: set everything in the before filter for CORS --- system/Filters/Cors.php | 42 +++++++------------- user_guide_src/source/changelogs/v4.6.1.rst | 3 ++ user_guide_src/source/libraries/cors/002.php | 1 - 3 files changed, 17 insertions(+), 29 deletions(-) diff --git a/system/Filters/Cors.php b/system/Filters/Cors.php index 9a9bbb208152..cb0e09c138ea 100644 --- a/system/Filters/Cors.php +++ b/system/Filters/Cors.php @@ -58,22 +58,24 @@ public function before(RequestInterface $request, $arguments = null) $this->createCorsService($arguments); - if (! $this->cors->isPreflightRequest($request)) { - return null; - } - /** @var ResponseInterface $response */ $response = service('response'); - $response = $this->cors->handlePreflightRequest($request, $response); + if ($request->is('OPTIONS')) { + // Always adds `Vary: Access-Control-Request-Method` header for cacheability. + // If there is an intermediate cache server such as a CDN, if a plain + // OPTIONS request is sent, it may be cached. But valid preflight requests + // have this header, so it will be cached separately. + $response->appendHeader('Vary', 'Access-Control-Request-Method'); + } + + if ($this->cors->isPreflightRequest($request)) { + return $this->cors->handlePreflightRequest($request, $response); + } - // Always adds `Vary: Access-Control-Request-Method` header for cacheability. - // If there is an intermediate cache server such as a CDN, if a plain - // OPTIONS request is sent, it may be cached. But valid preflight requests - // have this header, so it will be cached separately. - $response->appendHeader('Vary', 'Access-Control-Request-Method'); + $this->cors->addResponseHeaders($request, $response); - return $response; + return null; } /** @@ -87,25 +89,9 @@ private function createCorsService(?array $arguments): void /** * @param list|null $arguments - * - * @return ResponseInterface|null */ public function after(RequestInterface $request, ResponseInterface $response, $arguments = null) { - if (! $request instanceof IncomingRequest) { - return null; - } - - $this->createCorsService($arguments); - - // Always adds `Vary: Access-Control-Request-Method` header for cacheability. - // If there is an intermediate cache server such as a CDN, if a plain - // OPTIONS request is sent, it may be cached. But valid preflight requests - // have this header, so it will be cached separately. - if ($request->is('OPTIONS')) { - $response->appendHeader('Vary', 'Access-Control-Request-Method'); - } - - return $this->cors->addResponseHeaders($request, $response); + return null; } } diff --git a/user_guide_src/source/changelogs/v4.6.1.rst b/user_guide_src/source/changelogs/v4.6.1.rst index c230ee6d32b9..5f502cc02207 100644 --- a/user_guide_src/source/changelogs/v4.6.1.rst +++ b/user_guide_src/source/changelogs/v4.6.1.rst @@ -22,6 +22,8 @@ Message Changes Changes ******* +- **Cors:** From now on only the ``before`` filter is used. You can remove all the ``after`` filter occurrences from your configuration for CORS. + ************ Deprecations ************ @@ -31,6 +33,7 @@ Bugs Fixed ********** - **CURLRequest:** Fixed an issue where multiple header sections appeared in the CURL response body during multiple redirects from the target server. +- **Cors:** Fixed a bug in the Cors filter that caused the appropriate headers to not be added when another filter returned a response object. From now on all CORS headers are added in the ``before`` filter and the ``after`` filter is no longer used. See the repo's `CHANGELOG.md `_ diff --git a/user_guide_src/source/libraries/cors/002.php b/user_guide_src/source/libraries/cors/002.php index 1229eaace3a4..cee6ab9e8566 100644 --- a/user_guide_src/source/libraries/cors/002.php +++ b/user_guide_src/source/libraries/cors/002.php @@ -13,7 +13,6 @@ class Filters extends BaseFilters // ... 'cors' => [ 'before' => ['api/*'], - 'after' => ['api/*'], ], ]; }