From 3db8f620a48ffcbee654178dc19e2e0447089916 Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Sat, 8 Jan 2022 11:07:24 +0000
Subject: [PATCH] Issue #3128982 by davidwbarratt, Spokje, andypost, Barryvdh,
larowlan, catch, alexpott: Upgrade asm89/stack-cors to ^2.0 to fix
cacheability
---
composer.lock | 30 ++++++-------
.../Metapackage/CoreRecommended/composer.json | 2 +-
core/composer.json | 2 +-
.../HttpKernel/CorsIntegrationTest.php | 42 ++++++++++++++++---
4 files changed, 53 insertions(+), 23 deletions(-)
diff --git a/composer.lock b/composer.lock
index ca0806a233f2..e6f41f52dc3d 100644
--- a/composer.lock
+++ b/composer.lock
@@ -8,36 +8,36 @@
"packages": [
{
"name": "asm89/stack-cors",
- "version": "1.3.0",
+ "version": "v2.0.5",
"source": {
"type": "git",
"url": "https://github.com/asm89/stack-cors.git",
- "reference": "b9c31def6a83f84b4d4a40d35996d375755f0e08"
+ "reference": "7a198ec737e926eab15d29368fc6fff66772b0e2"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/asm89/stack-cors/zipball/b9c31def6a83f84b4d4a40d35996d375755f0e08",
- "reference": "b9c31def6a83f84b4d4a40d35996d375755f0e08",
+ "url": "https://api.github.com/repos/asm89/stack-cors/zipball/7a198ec737e926eab15d29368fc6fff66772b0e2",
+ "reference": "7a198ec737e926eab15d29368fc6fff66772b0e2",
"shasum": ""
},
"require": {
- "php": ">=5.5.9",
- "symfony/http-foundation": "~2.7|~3.0|~4.0|~5.0",
- "symfony/http-kernel": "~2.7|~3.0|~4.0|~5.0"
+ "php": "^7.0|^8.0",
+ "symfony/http-foundation": "~2.7|~3.0|~4.0|~5.0|~6.0",
+ "symfony/http-kernel": "~2.7|~3.0|~4.0|~5.0|~6.0"
},
"require-dev": {
- "phpunit/phpunit": "^5.0 || ^4.8.10",
- "squizlabs/php_codesniffer": "^2.3"
+ "phpunit/phpunit": "^6|^7|^8|^9",
+ "squizlabs/php_codesniffer": "^3.5"
},
"type": "library",
"extra": {
"branch-alias": {
- "dev-master": "1.2-dev"
+ "dev-master": "2.0-dev"
}
},
"autoload": {
"psr-4": {
- "Asm89\\Stack\\": "src/Asm89/Stack/"
+ "Asm89\\Stack\\": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
@@ -58,9 +58,9 @@
],
"support": {
"issues": "https://github.com/asm89/stack-cors/issues",
- "source": "https://github.com/asm89/stack-cors/tree/1.3.0"
+ "source": "https://github.com/asm89/stack-cors/tree/v2.0.5"
},
- "time": "2019-12-24T22:41:47+00:00"
+ "time": "2022-01-03T15:27:13+00:00"
},
{
"name": "composer/installers",
@@ -452,10 +452,10 @@
"dist": {
"type": "path",
"url": "core",
- "reference": "7963aa1162a3808d6d854bbba38a125121839b66"
+ "reference": "0c0d32e4674b75c965916f8ec909674a0b9dd3e9"
},
"require": {
- "asm89/stack-cors": "^1.1",
+ "asm89/stack-cors": "^2.0.2",
"composer/semver": "^3.0",
"doctrine/annotations": "^1.12",
"egulias/email-validator": "^2.1.22|^3.0",
diff --git a/composer/Metapackage/CoreRecommended/composer.json b/composer/Metapackage/CoreRecommended/composer.json
index 96e100bfb060..88b05f6b2183 100644
--- a/composer/Metapackage/CoreRecommended/composer.json
+++ b/composer/Metapackage/CoreRecommended/composer.json
@@ -8,7 +8,7 @@
},
"require": {
"drupal/core": "10.0.x-dev",
- "asm89/stack-cors": "1.3.0",
+ "asm89/stack-cors": "v2.0.5",
"composer/semver": "3.2.6",
"doctrine/annotations": "1.13.2",
"doctrine/lexer": "1.2.1",
diff --git a/core/composer.json b/core/composer.json
index 4c320a030ce9..1e3a3ab50771 100644
--- a/core/composer.json
+++ b/core/composer.json
@@ -42,7 +42,7 @@
"masterminds/html5": "^2.1",
"symfony/psr-http-message-bridge": "^2.0",
"composer/semver": "^3.0",
- "asm89/stack-cors": "^1.1",
+ "asm89/stack-cors": "^2.0.2",
"pear/archive_tar": "^1.4.14",
"psr/log": "^1.0"
},
diff --git a/core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php b/core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php
index be644750a83c..ac21766b0d2d 100644
--- a/core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php
+++ b/core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php
@@ -48,21 +48,24 @@ public function testCrossSiteRequest() {
$this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderEquals('X-Drupal-Cache', 'MISS');
- $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
+ $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', '*');
+ $this->assertSession()->responseHeaderNotContains('Vary', 'Origin');
// Fire the same exact request. This time it should be cached.
$this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderEquals('X-Drupal-Cache', 'HIT');
- $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
+ $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', '*');
+ $this->assertSession()->responseHeaderNotContains('Vary', 'Origin');
// Fire a request for a different origin. Verify the CORS header.
$this->drupalGet('/test-page', [], ['Origin' => 'http://example.org']);
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderEquals('X-Drupal-Cache', 'HIT');
- $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.org');
+ $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', '*');
+ $this->assertSession()->responseHeaderNotContains('Vary', 'Origin');
- // Configure the CORS stack to allow a specific set of origins.
+ // Configure the CORS stack to allow a specific origin.
$cors_config['allowedOrigins'] = ['http://example.com'];
$this->setContainerParameter('cors.config', $cors_config);
@@ -71,13 +74,40 @@ public function testCrossSiteRequest() {
// Fire a request from an origin that isn't allowed.
/** @var \Symfony\Component\HttpFoundation\Response $response */
$this->drupalGet('/test-page', [], ['Origin' => 'http://non-valid.com']);
- $this->assertSession()->statusCodeEquals(403);
- $this->assertSession()->pageTextContains('Not allowed.');
+ $this->assertSession()->statusCodeEquals(200);
+ $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
+ $this->assertSession()->responseHeaderNotContains('Vary', 'Origin');
// Specify a valid origin.
$this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
+ $this->assertSession()->responseHeaderNotContains('Vary', 'Origin');
+
+ // Configure the CORS stack to allow a specific set of origins.
+ $cors_config['allowedOrigins'] = ['http://example.com', 'https://drupal.org'];
+
+ $this->setContainerParameter('cors.config', $cors_config);
+ $this->rebuildContainer();
+
+ // Fire a request from an origin that isn't allowed.
+ /** @var \Symfony\Component\HttpFoundation\Response $response */
+ $this->drupalGet('/test-page', [], ['Origin' => 'http://non-valid.com']);
+ $this->assertSession()->statusCodeEquals(200);
+ $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', NULL);
+ $this->assertSession()->responseHeaderContains('Vary', 'Origin');
+
+ // Specify a valid origin.
+ $this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
+ $this->assertSession()->statusCodeEquals(200);
+ $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
+ $this->assertSession()->responseHeaderContains('Vary', 'Origin');
+
+ // Specify a valid origin.
+ $this->drupalGet('/test-page', [], ['Origin' => 'https://drupal.org']);
+ $this->assertSession()->statusCodeEquals(200);
+ $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'https://drupal.org');
+ $this->assertSession()->responseHeaderContains('Vary', 'Origin');
// Verify POST still functions with 'Origin' header set to site's domain.
$origin = \Drupal::request()->getSchemeAndHttpHost();
--
GitLab