sintonia/legacy/application/common/CORSHelper.php

<?php

class CORSHelper
{
    public static function enableCrossOriginRequests(&$request, &$response)
    {
        // Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.
        $origin = $request->getHeader('Origin');
        $allowedOrigins = self::getAllowedOrigins($request);

        if ((!(preg_match('/https?:\/\/localhost/', $origin) === 1)) && ($origin != '')
            && (!in_array($origin, $allowedOrigins))
        ) {
            // Don't allow CORS from other domains to prevent XSS.
            Logging::error("request origin '{$origin}' is not in allowed '" . implode(', ', $allowedOrigins) . "'!");

            throw new Zend_Controller_Action_Exception('Forbidden', 403);
        }
        // Allow AJAX requests from configured websites. We use this to allow other pages to use LibreTimes API.
        if ($origin) {
            $response = $response->setHeader('Access-Control-Allow-Origin', $origin);
        }
    }

    /**
     * Get all allowed origins.
     *
     * @param Request $request request object
     */
    public static function getAllowedOrigins($request)
    {
        $allowedCorsUrls = array_map(
            function ($v) { return trim($v); },
            explode(PHP_EOL, Application_Model_Preference::GetAllowedCorsUrls())
        );

        // always allow the configured server in (as reported by the server and not what is i baseUrl)
        $scheme = $request->getServer('REQUEST_SCHEME');
        $host = $request->getServer('SERVER_NAME');
        $port = $request->getServer('SERVER_PORT');

        $portString = '';
        if (
            $scheme == 'https' && $port != 443
            || $scheme == 'http' && $port != 80
        ) {
            $portString = sprintf(':%s', $port);
        }
        $requestedUrl = sprintf(
            '%s://%s%s',
            $scheme,
            $host,
            $portString
        );

        return array_merge($allowedCorsUrls, [
            $requestedUrl,
        ]);
    }
}
CORS refactoring 2014-07-03 18:26:09 +02:00			`<?php`

			`class CORSHelper`
			`{`
Make CORS great again This fixes CORS to work properly with most 2.5 api endpoints while keeping the JSONP format available. * [x] return JSONP or JSON with proper CORS headers from API * [x] Field in Genereal Preferences Form to configure CORS enabled URLs See #17 for what triggered this refactor. I beleive this should make integrating the APIs on the client side trivial without mandating the use of JSONP. 2017-03-10 15:10:56 +01:00			`public static function enableCrossOriginRequests(&$request, &$response)`
CORS refactoring 2014-07-03 18:26:09 +02:00			`{`
style(legacy): fix code format with php-cs-fixer (#1674) 2022-03-14 11:15:04 +01:00			`// Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.`
CORS refactoring 2014-07-03 18:26:09 +02:00			`$origin = $request->getHeader('Origin');`
Better cors error logging 2021-10-07 19:05:56 +02:00			`$allowedOrigins = self::getAllowedOrigins($request);`
Fix non default local CORS URL case I cleaned up the CORSHandler code a bit more and also rewrote the helper to use the framework to access the request properly and took care of also grabbing the request schema from the server. 2017-07-18 20:39:53 +02:00
Put regex rules between single quotes 2021-10-12 11:09:46 +02:00			`if ((!(preg_match('/https?:\/\/localhost/', $origin) === 1)) && ($origin != '')`
Format code using php-cs-fixer 2021-10-11 16:10:47 +02:00			`&& (!in_array($origin, $allowedOrigins))`
Better cors error logging 2021-10-07 19:05:56 +02:00			`) {`
style(legacy): fix code format with php-cs-fixer (#1674) 2022-03-14 11:15:04 +01:00			`// Don't allow CORS from other domains to prevent XSS.`
Better cors error logging 2021-10-07 19:05:56 +02:00			`Logging::error("request origin '{$origin}' is not in allowed '" . implode(', ', $allowedOrigins) . "'!");`
Format code using php-cs-fixer 2021-10-11 16:10:47 +02:00
CORS refactoring 2014-07-03 18:26:09 +02:00			`throw new Zend_Controller_Action_Exception('Forbidden', 403);`
			`}`
style(legacy): fix code format with php-cs-fixer (#1674) 2022-03-14 11:15:04 +01:00			`// Allow AJAX requests from configured websites. We use this to allow other pages to use LibreTimes API.`
Make CORS great again This fixes CORS to work properly with most 2.5 api endpoints while keeping the JSONP format available. * [x] return JSONP or JSON with proper CORS headers from API * [x] Field in Genereal Preferences Form to configure CORS enabled URLs See #17 for what triggered this refactor. I beleive this should make integrating the APIs on the client side trivial without mandating the use of JSONP. 2017-03-10 15:10:56 +01:00			`if ($origin) {`
			`$response = $response->setHeader('Access-Control-Allow-Origin', $origin);`
			`}`
CORS refactoring 2014-07-03 18:26:09 +02:00			`}`
Fix logins from WHMCS by disabling CSRF token on login page for trusted origins 2014-11-21 01:33:11 +01:00
Fix non default local CORS URL case I cleaned up the CORSHandler code a bit more and also rewrote the helper to use the framework to access the request properly and took care of also grabbing the request schema from the server. 2017-07-18 20:39:53 +02:00			`/**`
Format code using php-cs-fixer 2021-10-11 16:10:47 +02:00			`* Get all allowed origins.`
Fix non default local CORS URL case I cleaned up the CORSHandler code a bit more and also rewrote the helper to use the framework to access the request properly and took care of also grabbing the request schema from the server. 2017-07-18 20:39:53 +02:00			`*`
			`* @param Request $request request object`
			`*/`
			`public static function getAllowedOrigins($request)`
Fix logins from WHMCS by disabling CSRF token on login page for trusted origins 2014-11-21 01:33:11 +01:00			`{`
Make CORS great again This fixes CORS to work properly with most 2.5 api endpoints while keeping the JSONP format available. * [x] return JSONP or JSON with proper CORS headers from API * [x] Field in Genereal Preferences Form to configure CORS enabled URLs See #17 for what triggered this refactor. I beleive this should make integrating the APIs on the client side trivial without mandating the use of JSONP. 2017-03-10 15:10:56 +01:00			`$allowedCorsUrls = array_map(`
Format code using php-cs-fixer 2021-10-11 16:10:47 +02:00			`function ($v) { return trim($v); },`
Make CORS great again This fixes CORS to work properly with most 2.5 api endpoints while keeping the JSONP format available. * [x] return JSONP or JSON with proper CORS headers from API * [x] Field in Genereal Preferences Form to configure CORS enabled URLs See #17 for what triggered this refactor. I beleive this should make integrating the APIs on the client side trivial without mandating the use of JSONP. 2017-03-10 15:10:56 +01:00			`explode(PHP_EOL, Application_Model_Preference::GetAllowedCorsUrls())`
			`);`
Fix non default local CORS URL case I cleaned up the CORSHandler code a bit more and also rewrote the helper to use the framework to access the request properly and took care of also grabbing the request schema from the server. 2017-07-18 20:39:53 +02:00
			`// always allow the configured server in (as reported by the server and not what is i baseUrl)`
			`$scheme = $request->getServer('REQUEST_SCHEME');`
			`$host = $request->getServer('SERVER_NAME');`
			`$port = $request->getServer('SERVER_PORT');`

			`$portString = '';`
			`if (`
Format code using php-cs-fixer 2021-10-11 16:10:47 +02:00			`$scheme == 'https' && $port != 443`
			`\|\| $scheme == 'http' && $port != 80`
Fix non default local CORS URL case I cleaned up the CORSHandler code a bit more and also rewrote the helper to use the framework to access the request properly and took care of also grabbing the request schema from the server. 2017-07-18 20:39:53 +02:00			`) {`
			`$portString = sprintf(':%s', $port);`
			`}`
			`$requestedUrl = sprintf(`
			`'%s://%s%s',`
			`$scheme,`
			`$host,`
			`$portString`
			`);`
Format code using php-cs-fixer 2021-10-11 16:10:47 +02:00
			`return array_merge($allowedCorsUrls, [`
			`$requestedUrl,`
			`]);`
Fix logins from WHMCS by disabling CSRF token on login page for trusted origins 2014-11-21 01:33:11 +01:00			`}`
Whitelist account.sourcefabric.com for CORS 2014-09-05 01:11:09 +02:00			`}`