使用Laravel-Cors根据条件设置AllowedOrigins [英] Set AllowedOrigins based on condition using Laravel-Cors
问题描述
我以前使用的是定制的cors中间件,以便根据我的环境处理Allow Origin.但是升级到5.5后,我在使用飞行前选项cors时遇到了问题,因此我切换到 laravel-cors 图书馆.但是现在我不知道如何仅通过配置文件来处理不同的情况.我想知道是否有人遇到过类似的问题.这是我以前的自定义cors中间件:
I was previously using a custom cors middleware in order to handle Allow Origin based on my environment. But after upgrading to 5.5, I had an issue with preflight OPTIONS cors so I switched to laravel-cors library. But now I don't know how I can handle different cases just by a config file. I'm wondering if anyone has experienced a similar issue. This is my previous custom cors middleware:
public function handle($request, Closure $next)
{
$origin = \Config::get('app.url', "https://mysite.ca");
// Set origin for localhost developing, else just use the staging server
if( isset( $_SERVER['HTTP_ORIGIN'] ) && $_SERVER['HTTP_ORIGIN'] === 'http://app.localhost:3333' ) {
$origin = 'http://app.localhost:3333';
}
$response = $next($request);
$response->headers->set('Access-Control-Allow-Origin', $origin);
$response->headers->set('Access-Control-Expose-Headers','Authorization');
$response->headers->set('Access-Control-Allow-Methods', 'POST, GET, OPTIONS, PUT, DELETE');
$response->headers->set('Access-Control-Allow-Headers', 'Content-Type, Accept, Authorization, X-Requested-With, Application');
$response->headers->set('Access-Control-Allow-Credentials','true');
return $response;
}
默认情况下,
推荐答案
laravel-cors
会自动执行与问题中的自定义代码等效的操作,即 laravel-cors
根据 Origin
标头的值以及是否在其中允许它来有条件地设置 Access-Control-Allow-Origin
值您的配置.
laravel-cors
already by default automatically does the equivalent of what the custom code in the question is doing — that is, laravel-cors
sets the Access-Control-Allow-Origin
value conditionally based what the value of the Origin
header is and if you’ve allowed it in your config.
但是,就问题代码的作用而言,目前尚不清楚为什么要发送 Access-Control-Allow-Origin
响应标头,并将其值设置为 app.url
值.
However, as far as what the code in the question does, it’s not clear why you want to ever send an Access-Control-Allow-Origin
response header with its value set to the app.url
value.
我的意思是, app.url
的值是您在其上安装了 laravel-cors
的同一服务器的URL,对吗?也就是说,它是您要允许来自特定来源的跨域请求的应用程序.如果是这种情况,那么您就无需显式允许来自 app.url
的请求,因为这些请求不是跨源请求,因此它们已经被允许,而无需执行任何操作任何东西.
What I mean is, app.url
’s value is the URL for the same server you’ve installed laravel-cors
at, right? That is, it’s the application to which you want to allow cross-origin requests from particular origins.
If that’s the case, then you don’t need to explicitly allow requests from app.url
, because those aren’t cross-origin requests so they’re allowed already without you needing to do anything.
另一点是, app.url
不是源,而是一个URL,可能带有路径.但是起源没有路径.因此,除非您确定您的 app.url
,否则您实际上并不想将 $ origin
的值设置为 app.url
.没有路径(甚至没有斜线).
Another point is that app.url
isn’t an origin — instead it’s a URL, potentially with a path. But origins don’t have paths. So you don’t actually want to be setting the value of $origin
to app.url
unless you’re certain that your app.url
has no path (not even a trailing slash).
所有这些,如果您确实想获得问题中自定义代码的确切行为,则可以将您的 $ origin
变量设置为全局变量,然后设置 allowedOrigins
这样的数组:
All that said, if you really want to get the exact behavior of the custom code in the question, you can set your $origin
variable as a global variable and then set the allowedOrigins
array like this:
return [
/*
|--------------------------------------------------------------------------
| Laravel CORS
|--------------------------------------------------------------------------
|
| allowedOrigins, allowedHeaders and allowedMethods can be set to array('*')
| to accept any value.
|
*/
'supportsCredentials' => true,
'allowedOrigins' => [$origin, 'http://app.localhost:3333'],
'allowedHeaders' => ['Content-Type', 'Accept', 'Authorization', 'X-Requested-With', 'Application'],
'allowedMethods' => ['POST', 'GET', 'OPTIONS', 'PUT', 'DELETE'],
'exposedHeaders' => ['Authorization'],
'maxAge' => 0,
]
这些是用于完成与问题中的自定义代码等效的完整配置设置.
Those are the complete config settings for doing the equivalent of the custom code in the question.
鉴于上面的 allowedOrigins
值,条件逻辑 laravel-cors
如下:
Given the allowedOrigins
value above, the conditional logic laravel-cors
follows is this:
- 如果
Origin
请求标头值与$ origin
的值匹配,则发送回响应标头Access-Control-Allow-Origin
,其值设置为$ origin
值 - 否则,如果
Origin
的请求标头值为http://app.localhost:3333
,则发送回响应标头Access-Control-Allow-来源:http://app.localhost:3333
- 否则不发送任何
Access-Control-Allow-Origin
响应标头
- if the
Origin
request-header value matches the value of$origin
, then send back the response headerAccess-Control-Allow-Origin
with its value set to the$origin
value - else if the
Origin
request-header value ishttp://app.localhost:3333
, then send back the response headerAccess-Control-Allow-Origin: http://app.localhost:3333
- else don’t send back any
Access-Control-Allow-Origin
response header
如果要允许来自 $ origin
或 http://app.localhost:3333
的值的跨域请求,而不是来自任何其他来源.
That’s what you need if you want to allow cross-origin requests from either the value of $origin
or http://app.localhost:3333
but not from any other origins.
确实,这与问题中的自定义代码所做的事情有些不同–因为问题中的代码会导致 Access-Control-Allow-Origin
响应标头带有 $ origin
值甚至可以发送回不允许的来源.
It’s true that does something a bit different from what the custom code in the question does — in that the code in the question causes an Access-Control-Allow-Origin
response header with the $origin
value to be sent back even to origins that are not allowed.
但是您还是不想这样做.如果请求来自不允许的来源,根本就没有必要发回任何 Access-Control-Allow-Origin
标头-因为缺少 Access-Control-Allow-Origin
响应标头告诉浏览器不允许在此来源运行的前端JavaScript代码访问我们服务器的响应"..
But you don’t want to be doing that anyway. In the case of a request coming from an origin that’s not allowed, there’s no point in sending back any Access-Control-Allow-Origin
header at all — because the absence of the Access-Control-Allow-Origin
response header tells the browser "don’t allow frontend JavaScript code running at this origin to access responses from our server".
此外,公开泄露关于任何允许的来源是什么的信息是没有意义的,如果您发送默认的 Access-Control-Allow-Origin
响应,这就是您要做的事情标头设置为 $ origin
,就像问题中的自定义代码一样.
Beyond that there’s no point in publicly leaking information about what any of the the allowed origins are — which is what you’d be doing if you sent a default Access-Control-Allow-Origin
response header set to $origin
, as the custom code in the question does.
这篇关于使用Laravel-Cors根据条件设置AllowedOrigins的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!