Merge pull request #25 from rb-cohen/master

Match wildcard subdomains
zf-fr · Jul 23, 2014 · 0160c81 · 0160c81
2 parents e921ff0 + 3ea8cac
commit 0160c81
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -54,7 +54,8 @@ As of now, all the various options are set globally for all routes:
 
  * `allowed_origins`: (array) List of allowed origins. To allow any origin, you can use the wildcard (`*`) character. If
    multiple origins are specified, ZfrCors will automatically check the `"Origin"` header's value, and only return the
-   allowed domain (if any) in the `"Allow-Access-Control-Origin"` response header. Please note that you don't need to
+   allowed domain (if any) in the `"Allow-Access-Control-Origin"` response header. To allow any sub-domain, you can prefix 
+   the domain with the wildcard character (i.e. *.example.com). Please note that you don't need to
    add your host URI (so if your website is hosted as "example.com", "example.com" is automatically allowed.
  * `allowed_methods`: (array) List of allowed HTTP methods. Those methods will be returned for the preflight request to
    indicate which methods are allowed to the user agent. You can even specify custom HTTP verbs.

diff --git a/src/ZfrCors/Service/CorsService.php b/src/ZfrCors/Service/CorsService.php
@@ -179,8 +179,11 @@ protected function getAllowedOriginValue(HttpRequest $request)
             return '*';
         }
 
-        if (in_array($request->getHeader('Origin')->getFieldValue(), $allowedOrigins)) {
-            return $request->getHeader('Origin')->getFieldValue();
+        $origin = $request->getHeader('Origin')->getFieldValue();
+        foreach ($allowedOrigins as $allowedOrigin) {
+            if (fnmatch($allowedOrigin, $origin)) {
+                return $origin;
+            }
         }
 
         return 'null';

diff --git a/tests/ZfrCorsTest/Service/CorsServiceTest.php b/tests/ZfrCorsTest/Service/CorsServiceTest.php
@@ -162,6 +162,68 @@ public function testCanReturnWildCardAllowOrigin()
         $headers = $response->getHeaders();
         $this->assertEquals('*', $headers->get('Access-Control-Allow-Origin')->getFieldValue());
     }
+
+    public function testCanReturnWildCardSubDomainAllowOrigin()
+    {
+        $request  = new HttpRequest();
+        $request->getHeaders()->addHeaderLine('Origin', 'http://subdomain.example.com');
+        $this->corsOptions->setAllowedOrigins(array('*.example.com'));
+
+        $response = $this->corsService->createPreflightCorsResponse($request);
+
+        $headers = $response->getHeaders();
+        $headerValue = $headers->get('Access-Control-Allow-Origin')->getFieldValue();
+        $this->assertEquals('http://subdomain.example.com', $headerValue);
+    }
+
+    public function testCanReturnWildCardSubDomainWithSchemeAllowOrigin()
+    {
+        $request  = new HttpRequest();
+        $request->getHeaders()->addHeaderLine('Origin', 'https://subdomain.example.com');
+        $this->corsOptions->setAllowedOrigins(array('https://*.example.com'));
+
+        $response = $this->corsService->createPreflightCorsResponse($request);
+
+        $headers = $response->getHeaders();
+        $headerValue = $headers->get('Access-Control-Allow-Origin')->getFieldValue();
+        $this->assertEquals('https://subdomain.example.com', $headerValue);
+    }
+
+    public function testReturnNullForMissMatchedWildcardSubDomainOrigin()
+    {
+        $request  = new HttpRequest();
+        $request->getHeaders()->addHeaderLine('Origin', 'http://subdomain.example.org');
+        $this->corsOptions->setAllowedOrigins(array('*.example.com'));
+
+        $response = $this->corsService->createPreflightCorsResponse($request);
+
+        $headers = $response->getHeaders();
+        $this->assertEquals('null', $headers->get('Access-Control-Allow-Origin')->getFieldValue());
+    }
+
+    public function testReturnNullForRootDomainOnWildcardSubDomainOrigin()
+    {
+        $request  = new HttpRequest();
+        $request->getHeaders()->addHeaderLine('Origin', 'http://example.com');
+        $this->corsOptions->setAllowedOrigins(array('*.example.com'));
+
+        $response = $this->corsService->createPreflightCorsResponse($request);
+
+        $headers = $response->getHeaders();
+        $this->assertEquals('null', $headers->get('Access-Control-Allow-Origin')->getFieldValue());
+    }
+
+    public function testReturnNullForDifferentSchemeOnWildcardSubDomainOrigin()
+    {
+        $request  = new HttpRequest();
+        $request->getHeaders()->addHeaderLine('Origin', 'https://example.com');
+        $this->corsOptions->setAllowedOrigins(array('http://*.example.com'));
+
+        $response = $this->corsService->createPreflightCorsResponse($request);
+
+        $headers = $response->getHeaders();
+        $this->assertEquals('null', $headers->get('Access-Control-Allow-Origin')->getFieldValue());
+    }
 
     public function testReturnNullForUnknownOrigin()
     {