Skip to content

Instantly share code, notes, and snippets.

@frodosghost

frodosghost/CorsListener.php

Created April 14, 2016 02:35
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save frodosghost/0e51d93f9ad09a3a93e881994f5de89b to your computer and use it in GitHub Desktop.
Save frodosghost/0e51d93f9ad09a3a93e881994f5de89b to your computer and use it in GitHub Desktop.
Download ZIP
CORS Listener and Handling with Symfony2
Raw
CorsListener.php
<?php
namespace AppBundle\EventListener;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\HttpKernelInterface;
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
class CorsListener
{
public function __construct(array $options)
{
$this->cors = $options;
}
public function onKernelRequest(GetResponseEvent $event)
{
// Don't do anything if it's not the master request.
if (HttpKernelInterface::MASTER_REQUEST !== $event->getRequestType()) {
return;
}
$request = $event->getRequest();
$method = $request->getRealMethod();
// perform preflight checks
if ('OPTIONS' === $request->getMethod()) {
$response = new Response();
$response->headers->set('Access-Control-Allow-Credentials', 'true');
$response->headers->set('Access-Control-Allow-Methods', 'POST, GET, PUT, DELETE, PATCH, OPTIONS');
$response->headers->set('Access-Control-Allow-Headers', 'Origin, Content-Type, Accept, Authorization');
$response->headers->set('Access-Control-Max-Age', 3600);
//$response->headers->set('Access-Control-Allow-Origin', '*');
$event->setResponse($response);
return;
}
}
public function onKernelResponse(FilterResponseEvent $event)
{
$request = $event->getRequest();
// Run CORS check in here to ensure domain is in the system
if (in_array($request->headers->get('origin'), $this->cors)) {
$response = $event->getResponse();
$response->headers->set('Access-Control-Allow-Credentials', 'true');
$response->headers->set('Access-Control-Allow-Headers', 'Origin, Content-Type, Accept, Authorization');
$response->headers->set('Access-Control-Allow-Origin', $corsOrigin);
$response->headers->set('Access-Control-Allow-Methods', 'POST, GET, PUT, DELETE, PATCH, OPTIONS');
$response->headers->set('Vary', 'Origin');
$event->setResponse($response);
}
return;
}
}
Raw
services.xml
...
<service id="app.tokens.action_listener" class="AppBundle\EventListener\CorsListener">
<argument>%app_bundle.cors.origins%</argument>
<tag name="kernel.event_listener" event="kernel.controller" method="onKernelController" />
<tag name="kernel.event_listener" event="kernel.response" method="onKernelResponse" />
<tag name="kernel.event_listener" event="kernel.request" method="onKernelRequest" priority="300" />
</service>
...
@nikoladimitrijevic
Copy link

Hello.
First, what's the parameter value for %app_bundle.cors.origins%,
and second, i don't understand why do you have event kernel.controller for onKernelController method, when you don't have that method in your CorsListener class in the first place?
Thanks in advance.

@Steveb-p
Copy link

Steveb-p commented Dec 15, 2017
edited

@nikoladimitrijevic %app_bundle.cors.origins% parameter is used as an array of origins that are allowed to access (other domains and potentially ports). onKernelController is looking like a leftover and can/should be removed from services configuration.

For me, I had to remove the parameter since I wanted my server to be accessible from under any domain.

Also, $corsOrigin variable in the code is missing, but you probably want to put $request->headers->get('origin') in it if you want POST requests to be available (or just * if GET is all you want).

Also note that the priority for onKernelRequest is important

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment