libretime/legacy/application/common/CORSHelper.php

35 lines
1.2 KiB
PHP
Raw Permalink Normal View History

2014-07-03 18:26:09 +02:00
<?php
class CORSHelper
{
public static function enableCrossOriginRequests(&$request, &$response)
2014-07-03 18:26:09 +02:00
{
// Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.
2014-07-03 18:26:09 +02:00
$origin = $request->getHeader('Origin');
2021-10-07 19:05:56 +02:00
$allowedOrigins = self::getAllowedOrigins($request);
if (!($origin == '' || preg_match('/https?:\/\/localhost/', $origin) === 1 || in_array($origin, $allowedOrigins))) {
// Don't allow CORS from other domains to prevent XSS.
Logging::error(
"request origin '{$origin}' is not in the configured 'allowed_cors_origins' '" . implode(', ', $allowedOrigins) . "'"
);
2021-10-11 16:10:47 +02:00
2014-07-03 18:26:09 +02:00
throw new Zend_Controller_Action_Exception('Forbidden', 403);
}
// Allow AJAX requests from configured websites. We use this to allow other pages to use LibreTimes API.
if ($origin) {
$response = $response->setHeader('Access-Control-Allow-Origin', $origin);
}
2014-07-03 18:26:09 +02:00
}
/**
2021-10-11 16:10:47 +02:00
* Get all allowed origins.
*
* @param Request $request request object
*/
public static function getAllowedOrigins($request)
{
return Config::get('general.allowed_cors_origins');
}
}