From 453d552da95c2455a000d79e32ce704d066b4c4e Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Sat, 22 Apr 2017 13:12:09 +0100
Subject: [PATCH] Issue #2853201 by hampercm, dawehner: [upstream] CORS breaks
form submission unless allowed origins includes site's own host
---
composer.lock | 29 ++++++++++++-------
core/composer.json | 2 +-
.../HttpKernel/CorsIntegrationTest.php | 14 +++++++++
3 files changed, 34 insertions(+), 11 deletions(-)
diff --git a/composer.lock b/composer.lock
index 0b633161a1cb..0f89f38ac5ac 100644
--- a/composer.lock
+++ b/composer.lock
@@ -8,27 +8,36 @@
"packages": [
{
"name": "asm89/stack-cors",
- "version": "1.0.0",
+ "version": "1.1.0",
"source": {
"type": "git",
"url": "https://github.com/asm89/stack-cors.git",
- "reference": "3ae8ef219bb4c9a6caf857421719aa07fa7776cc"
+ "reference": "65ccbd455370f043c2e3b93482a3813603d68731"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/asm89/stack-cors/zipball/3ae8ef219bb4c9a6caf857421719aa07fa7776cc",
- "reference": "3ae8ef219bb4c9a6caf857421719aa07fa7776cc",
+ "url": "https://api.github.com/repos/asm89/stack-cors/zipball/65ccbd455370f043c2e3b93482a3813603d68731",
+ "reference": "65ccbd455370f043c2e3b93482a3813603d68731",
"shasum": ""
},
"require": {
- "php": ">=5.3.2",
- "symfony/http-foundation": "~2.1|~3.0",
- "symfony/http-kernel": "~2.1|~3.0"
+ "php": ">=5.5.9",
+ "symfony/http-foundation": "~2.7|~3.0",
+ "symfony/http-kernel": "~2.7|~3.0"
+ },
+ "require-dev": {
+ "phpunit/phpunit": "^5.0 || ^4.8.10",
+ "squizlabs/php_codesniffer": "^2.3"
},
"type": "library",
+ "extra": {
+ "branch-alias": {
+ "dev-master": "1.1-dev"
+ }
+ },
"autoload": {
- "psr-0": {
- "Asm89\\Stack": "src/"
+ "psr-4": {
+ "Asm89\\Stack\\": "src/Asm89/Stack/"
}
},
"notification-url": "https://packagist.org/downloads/",
@@ -47,7 +56,7 @@
"cors",
"stack"
],
- "time": "2016-08-01T12:05:04+00:00"
+ "time": "2017-04-11T20:03:41+00:00"
},
{
"name": "composer/installers",
diff --git a/core/composer.json b/core/composer.json
index 82ea0e6a4d52..c3600ab1a6e8 100644
--- a/core/composer.json
+++ b/core/composer.json
@@ -32,7 +32,7 @@
"zendframework/zend-diactoros": "~1.1",
"composer/semver": "~1.0",
"paragonie/random_compat": "^1.0|^2.0",
- "asm89/stack-cors": "~1.0"
+ "asm89/stack-cors": "~1.1"
},
"conflict": {
"drush/drush": "<8.1.10"
diff --git a/core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php b/core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php
index c29324a01351..c8748342fb72 100644
--- a/core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php
+++ b/core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php
@@ -2,6 +2,7 @@
namespace Drupal\FunctionalTests\HttpKernel;
+use Drupal\Core\Url;
use Drupal\Tests\BrowserTestBase;
/**
@@ -72,6 +73,19 @@ public function testCrossSiteRequest() {
$this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
+
+ // Verify POST still functions with 'Origin' header set to site's domain.
+ $origin = \Drupal::request()->getSchemeAndHttpHost();
+
+ /** @var \GuzzleHttp\ClientInterface $httpClient */
+ $httpClient = $this->getSession()->getDriver()->getClient()->getClient();
+ $url = Url::fromUri('base:/test-page');
+ $response = $httpClient->request('POST', $url->setAbsolute()->toString(), [
+ 'headers' => [
+ 'Origin' => $origin,
+ ]
+ ]);
+ $this->assertEquals(200, $response->getStatusCode());
}
}
--
GitLab