exposed headers

daycry · Jun 28, 2023 · f65263c · f65263c
1 parent 3d2d44b
commit f65263c
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 9 deletions.
diff --git a/src/Config/RestFul.php b/src/Config/RestFul.php
@@ -206,7 +206,7 @@ class RestFul extends BaseConfig
     * Set to TRUE to enable Cross-Origin Resource Sharing (CORS) from any
     * source domain
     */
-    public bool $allowAnyCorsDomain = true;
+    public bool $allowAnyCorsDomain = false;
 
     /**
     * --------------------------------------------------------------------------
@@ -261,7 +261,7 @@ class RestFul extends BaseConfig
     | http://docs.sencha.com/extjs/6.5.2/classic/Ext.data.proxy.Rest.html#cfg-withCredentials
     |
     */
-    public array $forcedCorsHeaders = [ 'Access-Control-Allow-Credentials' => 'true' ];
+    public bool $supportsCredentials = false;
 
     /**
      * --------------------------------------------------------------------------

diff --git a/src/Validators/Cors.php b/src/Validators/Cors.php
@@ -40,12 +40,14 @@ public static function check(ResponseInterface &$response)
         $response->setHeader('Access-Control-Allow-Headers', $allowedCorsHeaders);
         $response->setHeader('Access-Control-Allow-Methods', $allowedCorsMethods);
 
-        $forcedheaders = service('settings')->get('RestFul.forcedCorsHeaders');
-        // If there are headers that should be forced in the CORS check, add them now
-        if (is_array($forcedheaders)) {
-            foreach ($forcedheaders as $header => $value) {
-                $response->setHeader($header, $value);
-            }
+        $response->setHeader('Access-Control-Expose-Headers', implode(', ', service('settings')->get('RestFul.exposedCorsHeaders')));
+
+        if (service('settings')->get('RestFul.corsMaxAge') !== null) {
+            $response = $response->setHeader('Access-Control-Max-Age', (string) service('settings')->get('RestFul.corsMaxAge'));
+        }
+
+        if (service('settings')->get('RestFul.supportsCredentials')) {
+            $response = $response->setHeader('Access-Control-Allow-Credentials', 'true');
         }
 
     }

diff --git a/tests/Validators/CorsTest.php b/tests/Validators/CorsTest.php
@@ -70,7 +70,7 @@ public function testCorsAllowCustomDomainError(): void
         $result = $this->call('get', 'example');
 
         $result->assertHeaderMissing('Access-Control-Allow-Origin');
-        $result->assertHeader('Access-Control-Allow-Credentials');
+        $result->assertHeaderMissing('Access-Control-Allow-Credentials');
     }
 
     public function testCorsOptionsMethodError(): void