From f77ea88388867d24cdac01a9b36c9b700f74d8bd Mon Sep 17 00:00:00 2001
From: Brandon Payton <brandon@happycode.net>
Date: Tue, 3 Dec 2024 23:08:46 -0500
Subject: [PATCH] Restore CORS support to CORS proxy (#2023)

## Motivation for the change, related issues

We want to move the CORS proxy to a separate host from
playground.wordpress.net. In order to continue using the proxy from
playground.wordpress.net, the CORS proxy needs to support cross-origin
requests to itself.

## Implementation details

This PR updates the CORS proxy to again respond with CORS-related
headers for supported origins. Currently, supported origins are
"https://playground.wordpress.net" and local origins based on
"127.0.0.1" and "localhost".

## Testing Instructions (or ideally a Blueprint)

- Once #2022 is merged, deploy this branch to the dedicated CORS proxy
host.
- Create a Blueprint that uses the dedicated CORS proxy host.
- Confirm the Blueprint works with playground.wordpress.net.
- Confirm the Blueprint works with the local dev server.
---
 .../php-cors-proxy/cors-proxy-functions.php   | 27 +++++++++++++++++++
 .../playground/php-cors-proxy/cors-proxy.php  | 10 +++++++
 2 files changed, 37 insertions(+)

diff --git a/packages/playground/php-cors-proxy/cors-proxy-functions.php b/packages/playground/php-cors-proxy/cors-proxy-functions.php
index 1db0a4faf4..338c51edc7 100644
--- a/packages/playground/php-cors-proxy/cors-proxy-functions.php
+++ b/packages/playground/php-cors-proxy/cors-proxy-functions.php
@@ -354,3 +354,30 @@ function rewrite_relative_redirect(
     }
     return $proxy_absolute_url . $redirect_location;
 }
+
+/**
+ * Answers whether CORS is allowed for the specified origin.
+ */
+function should_respond_with_cors_headers($host, $origin) {
+    if (empty($origin)) {
+        return false;
+    }
+
+    $is_request_from_playground_web_app = $origin === 'https://playground.wordpress.net';
+    $not_hosted_with_playground_web_app = $host !== 'playground.wordpress.net';
+    if (
+        $is_request_from_playground_web_app &&
+        $not_hosted_with_playground_web_app
+    ) {
+        return true;
+    }
+
+    $origin_host = parse_url($origin, PHP_URL_HOST);
+    $is_local_origin = in_array(
+        $origin_host,
+        array('localhost', '127.0.0.1'),
+        true
+    );
+
+    return $is_local_origin;
+}
diff --git a/packages/playground/php-cors-proxy/cors-proxy.php b/packages/playground/php-cors-proxy/cors-proxy.php
index 9fb854f391..04b2b483b5 100644
--- a/packages/playground/php-cors-proxy/cors-proxy.php
+++ b/packages/playground/php-cors-proxy/cors-proxy.php
@@ -13,6 +13,16 @@
     require_once $config_file;
 }
 
+$server_host = $_SERVER['HTTP_HOST'] ?? '';
+$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
+
+if (should_respond_with_cors_headers($server_host, $origin)) {
+    header('Access-Control-Allow-Origin: ' . $origin);
+    header('Access-Control-Allow-Credentials: true');
+    header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
+    header('Access-Control-Allow-Headers: Authorization, Content-Type');
+}
+
 if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
     header("Allow: GET, POST, OPTIONS");
     exit;