Allow wildcard headers by feeding back the requested headers to the r…

…esponse, fixes #7

DependencyInjection/Configuration.php

@@ -89,7 +89,16 @@ private function getAllowHeaders()
     {
         $node = new ArrayNodeDefinition('allow_headers');
 
-        $node->prototype('scalar')->end();
+        $node
+            ->beforeNormalization()
+                ->always(function($v) {
+                    if ($v === '*') {
+                        return array('*');
+                    }
+                    return $v;
+                })
+            ->end()
+            ->prototype('scalar')->end();
 
         return $node;
     }

DependencyInjection/NelmioCorsExtension.php

@@ -49,11 +49,21 @@ public function load(array $configs, ContainerBuilder $container)
         if (in_array('*', $defaults['allow_origin'])) {
             $defaults['allow_origin'] = true;
         }
+        if (in_array('*', $defaults['allow_headers'])) {
+            $defaults['allow_headers'] = true;
+        } else {
+            $defaults['allow_headers'] = array_map('strtolower', $defaults['allow_headers']);
+        }
         foreach ($config['paths'] as $path => $opts) {
             $opts = array_filter($opts);
             if (isset($opts['allow_origin']) && in_array('*', $opts['allow_origin'])) {
                 $opts['allow_origin'] = true;
             }
+            if (isset($opts['allow_headers']) && in_array('*', $opts['allow_headers'])) {
+                $opts['allow_headers'] = true;
+            } elseif (isset($opts['allow_headers'])) {
+                $opts['allow_headers'] = array_map('strtolower', $opts['allow_headers']);
+            }
 
             $config['paths'][$path] = $opts;
         }

EventListener/CorsListener.php

@@ -64,7 +64,6 @@ public function onKernelRequest(GetResponseEvent $event)
         foreach ($this->paths as $path => $options) {
             if (preg_match('{'.$path.'}i', $currentPath)) {
                 $options = array_merge($this->defaults, $options);
-                $options['allow_headers'] = array_map('strtolower', $options['allow_headers']);
 
                 // perform preflight checks
                 if ('OPTIONS' === $request->getMethod()) {
@@ -114,7 +113,7 @@ protected function getPreflightResponse($request, $options)
             $response->headers->set('Access-Control-Allow-Methods', strtoupper(implode(', ', $options['allow_methods'])));
         }
         if ($options['allow_headers']) {
-            $response->headers->set('Access-Control-Allow-Headers', implode(', ', $options['allow_headers']));
+            $response->headers->set('Access-Control-Allow-Headers', $options['allow_headers'] === true ? $request->headers->get('Access-Control-Request-Headers') : implode(', ', $options['allow_headers']));
         }
         if ($options['max_age']) {
             $response->headers->set('Access-Control-Max-Age', $options['max_age']);
@@ -134,8 +133,9 @@ protected function getPreflightResponse($request, $options)
         }
 
         // check request headers
-        $headers = trim(strtolower($request->headers->get('Access-Control-Request-Headers')));
-        if ($headers) {
+        $headers = $request->headers->get('Access-Control-Request-Headers');
+        if ($options['allow_headers'] !== true && $headers) {
+            $headers = trim(strtolower($headers));
             foreach (preg_split('{, *}', $headers) as $header) {
                 if (in_array($header, self::$simpleHeaders, true)) {
                     continue;

README.md

@@ -40,6 +40,9 @@ seconds.
                 allow_methods: ['POST', 'PUT', 'GET', 'DELETE']
                 max_age: 3600
 
+`allow_origin` and `allow_headers` can be set to `*` to accept any value, the
+allowed methods however have to be explicitly listed.
+
 ## Installation (Symfony 2.1+)
 
 Require the `nelmio/cors-bundle` package in your composer.json and update your dependencies.