exposed headers

daycry · daycry · commit f65263c2acf3 · 2023-06-28T17:31:03.000+02:00
diff --git a/src/Config/RestFul.php b/src/Config/RestFul.php
@@ -206,7 +206,7 @@ class RestFul extends BaseConfig
     * Set to TRUE to enable Cross-Origin Resource Sharing (CORS) from any
     * source domain
     */
-    public bool $allowAnyCorsDomain = true;
+    public bool $allowAnyCorsDomain = false;
 
     /**
     * --------------------------------------------------------------------------
@@ -261,7 +261,7 @@ class RestFul extends BaseConfig
     | http://docs.sencha.com/extjs/6.5.2/classic/Ext.data.proxy.Rest.html#cfg-withCredentials
     |
     */
-    public array $forcedCorsHeaders = [ 'Access-Control-Allow-Credentials' => 'true' ];
+    public bool $supportsCredentials = false;
 
     /**
      * --------------------------------------------------------------------------
diff --git a/src/Validators/Cors.php b/src/Validators/Cors.php
@@ -40,12 +40,14 @@ public static function check(ResponseInterface &$response)
         $response->setHeader('Access-Control-Allow-Headers', $allowedCorsHeaders);
         $response->setHeader('Access-Control-Allow-Methods', $allowedCorsMethods);
 
-        $forcedheaders = service('settings')->get('RestFul.forcedCorsHeaders');
-        // If there are headers that should be forced in the CORS check, add them now
-        if (is_array($forcedheaders)) {
-            foreach ($forcedheaders as $header => $value) {
-                $response->setHeader($header, $value);
-            }
+        $response->setHeader('Access-Control-Expose-Headers', implode(', ', service('settings')->get('RestFul.exposedCorsHeaders')));
+
+        if (service('settings')->get('RestFul.corsMaxAge') !== null) {
+            $response = $response->setHeader('Access-Control-Max-Age', (string) service('settings')->get('RestFul.corsMaxAge'));
+        }
+
+        if (service('settings')->get('RestFul.supportsCredentials')) {
+            $response = $response->setHeader('Access-Control-Allow-Credentials', 'true');
         }
 
     }
diff --git a/tests/Validators/CorsTest.php b/tests/Validators/CorsTest.php
@@ -70,7 +70,7 @@ public function testCorsAllowCustomDomainError(): void
         $result = $this->call('get', 'example');
 
         $result->assertHeaderMissing('Access-Control-Allow-Origin');
-        $result->assertHeader('Access-Control-Allow-Credentials');
+        $result->assertHeaderMissing('Access-Control-Allow-Credentials');
     }
 
     public function testCorsOptionsMethodError(): void

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ public function testCorsAllowCustomDomainError(): void`
`70`	`70`	`$result = $this->call('get', 'example');`
`71`	`71`
`72`	`72`	`$result->assertHeaderMissing('Access-Control-Allow-Origin');`
`73`		`- $result->assertHeader('Access-Control-Allow-Credentials');`
	`73`	`+ $result->assertHeaderMissing('Access-Control-Allow-Credentials');`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	`public function testCorsOptionsMethodError(): void`