Commit 453d552d authored by alexpott's avatar alexpott
Browse files

Issue #2853201 by hampercm, dawehner: [upstream] CORS breaks form submission...

Issue #2853201 by hampercm, dawehner: [upstream] CORS breaks form submission unless allowed origins includes site's own host
parent f7520a29
...@@ -8,27 +8,36 @@ ...@@ -8,27 +8,36 @@
"packages": [ "packages": [
{ {
"name": "asm89/stack-cors", "name": "asm89/stack-cors",
"version": "1.0.0", "version": "1.1.0",
"source": { "source": {
"type": "git", "type": "git",
"url": "https://github.com/asm89/stack-cors.git", "url": "https://github.com/asm89/stack-cors.git",
"reference": "3ae8ef219bb4c9a6caf857421719aa07fa7776cc" "reference": "65ccbd455370f043c2e3b93482a3813603d68731"
}, },
"dist": { "dist": {
"type": "zip", "type": "zip",
"url": "https://api.github.com/repos/asm89/stack-cors/zipball/3ae8ef219bb4c9a6caf857421719aa07fa7776cc", "url": "https://api.github.com/repos/asm89/stack-cors/zipball/65ccbd455370f043c2e3b93482a3813603d68731",
"reference": "3ae8ef219bb4c9a6caf857421719aa07fa7776cc", "reference": "65ccbd455370f043c2e3b93482a3813603d68731",
"shasum": "" "shasum": ""
}, },
"require": { "require": {
"php": ">=5.3.2", "php": ">=5.5.9",
"symfony/http-foundation": "~2.1|~3.0", "symfony/http-foundation": "~2.7|~3.0",
"symfony/http-kernel": "~2.1|~3.0" "symfony/http-kernel": "~2.7|~3.0"
},
"require-dev": {
"phpunit/phpunit": "^5.0 || ^4.8.10",
"squizlabs/php_codesniffer": "^2.3"
}, },
"type": "library", "type": "library",
"extra": {
"branch-alias": {
"dev-master": "1.1-dev"
}
},
"autoload": { "autoload": {
"psr-0": { "psr-4": {
"Asm89\\Stack": "src/" "Asm89\\Stack\\": "src/Asm89/Stack/"
} }
}, },
"notification-url": "https://packagist.org/downloads/", "notification-url": "https://packagist.org/downloads/",
...@@ -47,7 +56,7 @@ ...@@ -47,7 +56,7 @@
"cors", "cors",
"stack" "stack"
], ],
"time": "2016-08-01T12:05:04+00:00" "time": "2017-04-11T20:03:41+00:00"
}, },
{ {
"name": "composer/installers", "name": "composer/installers",
......
...@@ -32,7 +32,7 @@ ...@@ -32,7 +32,7 @@
"zendframework/zend-diactoros": "~1.1", "zendframework/zend-diactoros": "~1.1",
"composer/semver": "~1.0", "composer/semver": "~1.0",
"paragonie/random_compat": "^1.0|^2.0", "paragonie/random_compat": "^1.0|^2.0",
"asm89/stack-cors": "~1.0" "asm89/stack-cors": "~1.1"
}, },
"conflict": { "conflict": {
"drush/drush": "<8.1.10" "drush/drush": "<8.1.10"
......
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
namespace Drupal\FunctionalTests\HttpKernel; namespace Drupal\FunctionalTests\HttpKernel;
use Drupal\Core\Url;
use Drupal\Tests\BrowserTestBase; use Drupal\Tests\BrowserTestBase;
/** /**
...@@ -72,6 +73,19 @@ public function testCrossSiteRequest() { ...@@ -72,6 +73,19 @@ public function testCrossSiteRequest() {
$this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']); $this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
$this->assertSession()->statusCodeEquals(200); $this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com'); $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
// Verify POST still functions with 'Origin' header set to site's domain.
$origin = \Drupal::request()->getSchemeAndHttpHost();
/** @var \GuzzleHttp\ClientInterface $httpClient */
$httpClient = $this->getSession()->getDriver()->getClient()->getClient();
$url = Url::fromUri('base:/test-page');
$response = $httpClient->request('POST', $url->setAbsolute()->toString(), [
'headers' => [
'Origin' => $origin,
]
]);
$this->assertEquals(200, $response->getStatusCode());
} }
} }
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment