From 9858af876dadaa62963b95956c1dba4cf0c81310 Mon Sep 17 00:00:00 2001 From: Alessandro Tagliapietra Date: Tue, 29 Oct 2013 13:53:02 +0100 Subject: [PATCH] Added same host check --- EventListener/CorsListener.php | 2 +- Tests/CorsListenerTest.php | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/EventListener/CorsListener.php b/EventListener/CorsListener.php index 9a559b5..db30d92 100644 --- a/EventListener/CorsListener.php +++ b/EventListener/CorsListener.php @@ -56,7 +56,7 @@ public function onKernelRequest(GetResponseEvent $event) $request = $event->getRequest(); // skip if not a CORS request - if (!$request->headers->has('Origin')) { + if (!$request->headers->has('Origin') || $request->headers->get('Origin') == $request->getSchemeAndHttpHost()) { return; } diff --git a/Tests/CorsListenerTest.php b/Tests/CorsListenerTest.php index 9c15db9..a49ac42 100644 --- a/Tests/CorsListenerTest.php +++ b/Tests/CorsListenerTest.php @@ -92,4 +92,26 @@ public function testPreflightedRequest() $this->assertEquals(null, $resp->headers->get('Access-Control-Allow-Methods')); $this->assertEquals(null, $resp->headers->get('Access-Control-Allow-Headers')); } + + public function testSameHostRequest() + { + // Request with same host as origin + $config = array('/foo' => array( + 'allow_origin' => array(), + 'allow_headers' => array('foo', 'bar'), + 'allow_methods' => array('POST', 'PUT'), + )); + + $req = Request::create('/foo', 'POST'); + $req->headers->set('Host', 'example.com'); + $req->headers->set('Origin', 'http://example.com'); + + $callback = null; + $dispatcher = m::mock('Symfony\Component\EventDispatcher\EventDispatcherInterface'); + + $event = new GetResponseEvent(m::mock('Symfony\Component\HttpKernel\HttpKernelInterface'), $req, HttpKernelInterface::MASTER_REQUEST); + $this->getListener($config, array(), $dispatcher)->onKernelRequest($event); + + $this->assertNull($event->getResponse()); + } }