使用Laravel-Cors根据条件设置AllowedOrigins [英] Set AllowedOrigins based on condition using Laravel-Cors
问题描述
我以前使用的是定制的cors中间件,以便根据我的环境处理Allow Origin.但是升级到5.5后,我在使用飞行前选项cors时遇到了问题,因此我切换到 laravel-cors 图书馆.但是现在我不知道如何仅通过配置文件来处理不同的情况.我想知道是否有人遇到过类似的问题.这是我以前的自定义cors中间件:
I was previously using a custom cors middleware in order to handle Allow Origin based on my environment. But after upgrading to 5.5, I had an issue with preflight OPTIONS cors so I switched to laravel-cors library. But now I don't know how I can handle different cases just by a config file. I'm wondering if anyone has experienced a similar issue. This is my previous custom cors middleware:
public function handle($request, Closure $next)
{
$origin = \Config::get('app.url', "https://mysite.ca");
// Set origin for localhost developing, else just use the staging server
if( isset( $_SERVER['HTTP_ORIGIN'] ) && $_SERVER['HTTP_ORIGIN'] === 'http://app.localhost:3333' ) {
$origin = 'http://app.localhost:3333';
}
$response = $next($request);
$response->headers->set('Access-Control-Allow-Origin', $origin);
$response->headers->set('Access-Control-Expose-Headers','Authorization');
$response->headers->set('Access-Control-Allow-Methods', 'POST, GET, OPTIONS, PUT, DELETE');
$response->headers->set('Access-Control-Allow-Headers', 'Content-Type, Accept, Authorization, X-Requested-With, Application');
$response->headers->set('Access-Control-Allow-Credentials','true');
return $response;
}
默认情况下,
推荐答案
laravel-cors 会自动执行与问题中的自定义代码等效的操作,即 laravel-cors 根据 Origin 标头的值以及是否在其中允许它来有条件地设置 Access-Control-Allow-Origin 值您的配置.
laravel-cors already by default automatically does the equivalent of what the custom code in the question is doing — that is, laravel-cors sets the Access-Control-Allow-Origin value conditionally based what the value of the Origin header is and if you’ve allowed it in your config.
但是,就问题代码的作用而言,目前尚不清楚为什么要发送 Access-Control-Allow-Origin 响应标头,并将其值设置为 app.url 值.
However, as far as what the code in the question does, it’s not clear why you want to ever send an Access-Control-Allow-Origin response header with its value set to the app.url value.
我的意思是, app.url 的值是您在其上安装了 laravel-cors 的同一服务器的URL,对吗?也就是说,它是您要允许来自特定来源的跨域请求的应用程序.如果是这种情况,那么您就无需显式允许来自 app.url 的请求,因为这些请求不是跨源请求,因此它们已经被允许,而无需执行任何操作任何东西.
What I mean is, app.url’s value is the URL for the same server you’ve installed laravel-cors at, right? That is, it’s the application to which you want to allow cross-origin requests from particular origins.
If that’s the case, then you don’t need to explicitly allow requests from app.url, because those aren’t cross-origin requests so they’re allowed already without you needing to do anything.
另一点是, app.url 不是源,而是一个URL,可能带有路径.但是起源没有路径.因此,除非您确定您的 app.url ,否则您实际上并不想将 $ origin 的值设置为 app.url .没有路径(甚至没有斜线).
Another point is that app.url isn’t an origin — instead it’s a URL, potentially with a path. But origins don’t have paths. So you don’t actually want to be setting the value of $origin to app.url unless you’re certain that your app.url has no path (not even a trailing slash).
所有这些,如果您确实想获得问题中自定义代码的确切行为,则可以将您的 $ origin 变量设置为全局变量,然后设置 allowedOrigins这样的数组:
All that said, if you really want to get the exact behavior of the custom code in the question, you can set your $origin variable as a global variable and then set the allowedOrigins array like this:
return [
/*
|--------------------------------------------------------------------------
| Laravel CORS
|--------------------------------------------------------------------------
|
| allowedOrigins, allowedHeaders and allowedMethods can be set to array('*')
| to accept any value.
|
*/
'supportsCredentials' => true,
'allowedOrigins' => [$origin, 'http://app.localhost:3333'],
'allowedHeaders' => ['Content-Type', 'Accept', 'Authorization', 'X-Requested-With', 'Application'],
'allowedMethods' => ['POST', 'GET', 'OPTIONS', 'PUT', 'DELETE'],
'exposedHeaders' => ['Authorization'],
'maxAge' => 0,
]
这些是用于完成与问题中的自定义代码等效的完整配置设置.
Those are the complete config settings for doing the equivalent of the custom code in the question.
鉴于上面的 allowedOrigins 值,条件逻辑 laravel-cors 如下:
Given the allowedOrigins value above, the conditional logic laravel-cors follows is this:
- 如果
Origin请求标头值与$ origin的值匹配,则发送回响应标头Access-Control-Allow-Origin,其值设置为$ origin值 - 否则,如果
Origin的请求标头值为http://app.localhost:3333,则发送回响应标头Access-Control-Allow-来源:http://app.localhost:3333 - 否则不发送任何
Access-Control-Allow-Origin响应标头
- if the
Originrequest-header value matches the value of$origin, then send back the response headerAccess-Control-Allow-Originwith its value set to the$originvalue - else if the
Originrequest-header value ishttp://app.localhost:3333, then send back the response headerAccess-Control-Allow-Origin: http://app.localhost:3333 - else don’t send back any
Access-Control-Allow-Originresponse header
如果要允许来自 $ origin 或 http://app.localhost:3333 的值的跨域请求,而不是来自任何其他来源.
That’s what you need if you want to allow cross-origin requests from either the value of $origin or http://app.localhost:3333 but not from any other origins.
确实,这与问题中的自定义代码所做的事情有些不同–因为问题中的代码会导致 Access-Control-Allow-Origin 响应标头带有 $ origin 值甚至可以发送回不允许的来源.
It’s true that does something a bit different from what the custom code in the question does — in that the code in the question causes an Access-Control-Allow-Origin response header with the $origin value to be sent back even to origins that are not allowed.
但是您还是不想这样做.如果请求来自不允许的来源,根本就没有必要发回任何 Access-Control-Allow-Origin 标头-因为缺少 Access-Control-Allow-Origin 响应标头告诉浏览器不允许在此来源运行的前端JavaScript代码访问我们服务器的响应"..
But you don’t want to be doing that anyway. In the case of a request coming from an origin that’s not allowed, there’s no point in sending back any Access-Control-Allow-Origin header at all — because the absence of the Access-Control-Allow-Origin response header tells the browser "don’t allow frontend JavaScript code running at this origin to access responses from our server".
此外,公开泄露关于任何允许的来源是什么的信息是没有意义的,如果您发送默认的 Access-Control-Allow-Origin 响应,这就是您要做的事情标头设置为 $ origin ,就像问题中的自定义代码一样.
Beyond that there’s no point in publicly leaking information about what any of the the allowed origins are — which is what you’d be doing if you sent a default Access-Control-Allow-Origin response header set to $origin, as the custom code in the question does.
这篇关于使用Laravel-Cors根据条件设置AllowedOrigins的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
