Chris@0: container->getParameter('cors.config'); Chris@0: $this->assertSame(FALSE, $cors_config['enabled']); Chris@0: $this->assertSame([], $cors_config['allowedHeaders']); Chris@0: $this->assertSame([], $cors_config['allowedMethods']); Chris@0: $this->assertSame(['*'], $cors_config['allowedOrigins']); Chris@0: Chris@0: $this->assertSame(FALSE, $cors_config['exposedHeaders']); Chris@0: $this->assertSame(FALSE, $cors_config['maxAge']); Chris@0: $this->assertSame(FALSE, $cors_config['supportsCredentials']); Chris@0: Chris@0: // Enable CORS with the default options. Chris@0: $cors_config['enabled'] = TRUE; Chris@0: Chris@0: $this->setContainerParameter('cors.config', $cors_config); Chris@0: $this->rebuildContainer(); Chris@0: Chris@0: // Fire off a request. Chris@0: $this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']); Chris@0: $this->assertSession()->statusCodeEquals(200); Chris@0: $this->assertSession()->responseHeaderEquals('X-Drupal-Cache', 'MISS'); Chris@0: $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com'); Chris@0: Chris@0: // Fire the same exact request. This time it should be cached. Chris@0: $this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']); Chris@0: $this->assertSession()->statusCodeEquals(200); Chris@0: $this->assertSession()->responseHeaderEquals('X-Drupal-Cache', 'HIT'); Chris@0: $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com'); Chris@0: Chris@0: // Fire a request for a different origin. Verify the CORS header. Chris@0: $this->drupalGet('/test-page', [], ['Origin' => 'http://example.org']); Chris@0: $this->assertSession()->statusCodeEquals(200); Chris@0: $this->assertSession()->responseHeaderEquals('X-Drupal-Cache', 'HIT'); Chris@0: $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.org'); Chris@0: Chris@0: // Configure the CORS stack to allow a specific set of origins. Chris@0: $cors_config['allowedOrigins'] = ['http://example.com']; Chris@0: Chris@0: $this->setContainerParameter('cors.config', $cors_config); Chris@0: $this->rebuildContainer(); Chris@0: Chris@0: // Fire a request from an origin that isn't allowed. Chris@0: /** @var \Symfony\Component\HttpFoundation\Response $response */ Chris@0: $this->drupalGet('/test-page', [], ['Origin' => 'http://non-valid.com']); Chris@0: $this->assertSession()->statusCodeEquals(403); Chris@0: $this->assertSession()->pageTextContains('Not allowed.'); Chris@0: Chris@0: // Specify a valid origin. Chris@0: $this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']); Chris@0: $this->assertSession()->statusCodeEquals(200); Chris@0: $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com'); Chris@0: Chris@0: // Verify POST still functions with 'Origin' header set to site's domain. Chris@0: $origin = \Drupal::request()->getSchemeAndHttpHost(); Chris@0: Chris@0: /** @var \GuzzleHttp\ClientInterface $httpClient */ Chris@0: $httpClient = $this->getSession()->getDriver()->getClient()->getClient(); Chris@0: $url = Url::fromUri('base:/test-page'); Chris@0: $response = $httpClient->request('POST', $url->setAbsolute()->toString(), [ Chris@0: 'headers' => [ Chris@0: 'Origin' => $origin, Chris@17: ], Chris@0: ]); Chris@0: $this->assertEquals(200, $response->getStatusCode()); Chris@0: } Chris@0: Chris@0: }