Commit 453d552d authored by alexpott's avatar alexpott

Issue #2853201 by hampercm, dawehner: [upstream] CORS breaks form submission...

Issue #2853201 by hampercm, dawehner: [upstream] CORS breaks form submission unless allowed origins includes site's own host
parent f7520a29
......@@ -8,27 +8,36 @@
"packages": [
{
"name": "asm89/stack-cors",
"version": "1.0.0",
"version": "1.1.0",
"source": {
"type": "git",
"url": "https://github.com/asm89/stack-cors.git",
"reference": "3ae8ef219bb4c9a6caf857421719aa07fa7776cc"
"reference": "65ccbd455370f043c2e3b93482a3813603d68731"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/asm89/stack-cors/zipball/3ae8ef219bb4c9a6caf857421719aa07fa7776cc",
"reference": "3ae8ef219bb4c9a6caf857421719aa07fa7776cc",
"url": "https://api.github.com/repos/asm89/stack-cors/zipball/65ccbd455370f043c2e3b93482a3813603d68731",
"reference": "65ccbd455370f043c2e3b93482a3813603d68731",
"shasum": ""
},
"require": {
"php": ">=5.3.2",
"symfony/http-foundation": "~2.1|~3.0",
"symfony/http-kernel": "~2.1|~3.0"
"php": ">=5.5.9",
"symfony/http-foundation": "~2.7|~3.0",
"symfony/http-kernel": "~2.7|~3.0"
},
"require-dev": {
"phpunit/phpunit": "^5.0 || ^4.8.10",
"squizlabs/php_codesniffer": "^2.3"
},
"type": "library",
"extra": {
"branch-alias": {
"dev-master": "1.1-dev"
}
},
"autoload": {
"psr-0": {
"Asm89\\Stack": "src/"
"psr-4": {
"Asm89\\Stack\\": "src/Asm89/Stack/"
}
},
"notification-url": "https://packagist.org/downloads/",
......@@ -47,7 +56,7 @@
"cors",
"stack"
],
"time": "2016-08-01T12:05:04+00:00"
"time": "2017-04-11T20:03:41+00:00"
},
{
"name": "composer/installers",
......
......@@ -32,7 +32,7 @@
"zendframework/zend-diactoros": "~1.1",
"composer/semver": "~1.0",
"paragonie/random_compat": "^1.0|^2.0",
"asm89/stack-cors": "~1.0"
"asm89/stack-cors": "~1.1"
},
"conflict": {
"drush/drush": "<8.1.10"
......
......@@ -2,6 +2,7 @@
namespace Drupal\FunctionalTests\HttpKernel;
use Drupal\Core\Url;
use Drupal\Tests\BrowserTestBase;
/**
......@@ -72,6 +73,19 @@ public function testCrossSiteRequest() {
$this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
$this->assertSession()->statusCodeEquals(200);
$this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
// Verify POST still functions with 'Origin' header set to site's domain.
$origin = \Drupal::request()->getSchemeAndHttpHost();
/** @var \GuzzleHttp\ClientInterface $httpClient */
$httpClient = $this->getSession()->getDriver()->getClient()->getClient();
$url = Url::fromUri('base:/test-page');
$response = $httpClient->request('POST', $url->setAbsolute()->toString(), [
'headers' => [
'Origin' => $origin,
]
]);
$this->assertEquals(200, $response->getStatusCode());
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment