Laravel CORS Middleware

readme.md

CORS stands for Cross-Origin Resource Sharing an is a specification that allow modern browsers to request (and receive) data from a domain other than the one serving the page that made the request.

You're building a site with cool cross domain features, and then you try to make a XHR request, you see the following message in your browser’s console:

XMLHttpRequest cannot load http://site123.local. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://site.local' is therefore not allowed access. The response had HTTP status code 500.

This means your server is not sending back to the client the headers that allow CORS:

1.Access-Control-Allow-Origin 2.Access-Control-Allow-Methods

So we'll make a Laravel Middleware to fix this. (You could also add the proper headers at the Ngnix level).

Create new middleware:

php artisan make:middleware Cors

Then follow the file examples in this gist to make it happen.

See http://enable-cors.org/ for more information.

Cors.php

<?php // /app/Http/Middleware/Cors.php

namespace App\Http\Middleware;

use Closure;

class Cors {
    public function handle($request, Closure $next)
    {
        return $next($request)
          ->header('Access-Control-Allow-Origin', '*')
          ->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
    }
}

Kernel.php

<?php // /app/Http/Kernel.php

protected $routeMiddleware = [
    'auth' => \App\Http\Middleware\Authenticate::class,
    'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
    'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
    'cors' => \App\Http\Middleware\Cors::class, // <<< add this line
];

routes.php

<?php

Route::get('', ['middleware' => 'cors', function() {
    return 'You did it!';
}]);

Are you able to only add 2 domains without using a wildcard "*" to allow all domains? I mean, what's the point of CORS if you are allowing all origins?