Comments (9)
Here's a suggestion for CORS documentation
CORS handling
What is CORS?
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources
to be requested from another domain outside the domain from which the first resource was served.
That means when a client (browser with angular app for example) access the server,
some special headers needs to be sent in the response.
Otherwise the browser will deny to access the server on POST requests for example.
A detailed description what CORS is and how it can be used for access restriction
is out of scope of this document. Please look out for other documentation.
Add CORS header
Use the CORSHeaderSetter
middleware to add Access-Control-Allow-Origin
header to responses.
TODO provide example script
OPTIONS requests
Before POST requests a browser will send an OPTIONS request in beforhand (preflight).
The response has to be 200 with some special headers.
By default the server will not generate such responses to OPTIONS requests.
Enabling OPTIONS request handling
With RestServerBuilder
When you use RestServerBuilder the easiest way to enable to enable CORS handling is this:
$builder = new RestServerBuilder($di);
$builder->getEndpointFactory()->allowGlobalRequestAllowHeaderReflecting(true);
The RestServerBuilder
will generate OPTIONS handler (`OptionsMethodHandler) for every endpoint automatically.
When allowGlobalRequestAllowHeaderReflecting(true)
ist not set it can be enabled for endpoints
setting 'allowHeaders' => '*'
.
'endpoints' => [
'/users/{guid}' => [
'name' => 'users',
'allowHeaders' => '*'
'handlers' => [
'POST' => \Vendor\MyServer\Api\v1\Endpoints\Users\PostHandler::class,
'GET' => \Vendor\MyServer\Api\v1\Endpoints\Users\GetHandler::class,
],
],
For more detail you may have a look in EndpointFactory
.
Without RestServerBuilder
When you build your endpoints without RestServerBuilder
using the api, you have to add OPTIONS
handlers by yourself. You can use the OptionsMethodHandler
for that.
TODO provide example script
Markdown
## CORS handling
### What is CORS?
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources
to be requested from another domain outside the domain from which the first resource was served.
That means when a client (browser with angular app for example) access the server,
some special headers needs to be sent in the response.
Otherwise the browser will deny to access the server on POST requests for example.
A detailed description what CORS is and how it can be used for access restriction
is out of scope of this document. Please look out for other documentation.
### Add CORS header
Use the `CORSHeaderSetter` middleware to add `Access-Control-Allow-Origin` header to responses.
TODO provide example script
### OPTIONS requests
Before POST requests a browser will send an OPTIONS request in beforhand (preflight).
The response has to be 200 with some special headers.
By default the server will not generate such responses to OPTIONS requests.
### Enabling OPTIONS request handling
#### With RestServerBuilder
When you use RestServerBuilder the easiest way to enable to enable CORS handling is this:
$builder = new RestServerBuilder($di);
$builder->getEndpointFactory()->allowGlobalRequestAllowHeaderReflecting(true);
The `RestServerBuilder` will generate OPTIONS handler (`OptionsMethodHandler) for every endpoint automatically.
When `allowGlobalRequestAllowHeaderReflecting(true)` ist not set it can be enabled for endpoints
setting `'allowHeaders' => '*'`.
'endpoints' => [
'/users/{guid}' => [
'name' => 'users',
'allowHeaders' => '*'
'handlers' => [
'POST' => \Vendor\MyServer\Api\v1\Endpoints\Users\PostHandler::class,
'GET' => \Vendor\MyServer\Api\v1\Endpoints\Users\GetHandler::class,
],
],
For more detail you may have a look in `EndpointFactory`.
#### Without RestServerBuilder
When you build your endpoints without `RestServerBuilder` using the api, you have to add OPTIONS
handlers by yourself. You can use the `OptionsMethodHandler` for that.
TODO provide example script
from rest-daemon.
I guess HttpServerConfig::getAllowedOrigins() is meant to be used for something like that?
It seems it is never used.
from rest-daemon.
Is this helpful?
http://socketo.me/docs/origin
I don't know
from rest-daemon.
When I hack Ratchet\Http\Router
The request will be handled
} catch (ResourceNotFoundException $nfe) {
return $this->close($conn, 200, array(
'Allow' => 'POST,OPTIONS',
'Access-Control-Allow-Origin' => '*',
'Access-Control-Allow-Headers' => 'Origin, X-Requested-With, Content-Type, Accept'
));
Of course this make no sense. Just for testing.
I can't find any resource how this is handled in Ratchet or Aerys the proper way. Am I missing something?
from rest-daemon.
I realized that in v0.10 there is an OPTIONS handler but I had 0.8 installed (rest-auth composer file). Sorry for that.
Although the options handler is registered it's never called and it's still not working. I might have messed up something?!
from rest-daemon.
I find out that CORS with the OPTIONS handler indeed work, but only with the Aerys driver not with the Ratchet. I'm fine with that.
rest-auth could be updated to prevent confusion.
from rest-daemon.
Rest-auth now (from v0.1.0) see to rest-daemon master branch for faster development.
I use rest-auth in private project and test it with real browser from another host - in this case CORS and OPTIONS method are used.
Are your issue with CORS can be resolved?
from rest-daemon.
Yes with latest rest-deamon version everything works as expected when I use the Aerys driver.
It doesn't work with the Ratchet driver. With Ratchet driver I get 404 on OPTIONS requests.
from rest-daemon.
Good job, @colorcube !
Thank You for contribution
Can you create PR with this changes to master? I will read diff.
I think directory like docs
with .md
files and hyper-links from README.md is great start point for extended documentation.
And I will try test this behavior with Ratchet driver, for check this behavior. And fix it if possible or submit PR to @cboden
from rest-daemon.
Related Issues (11)
- OPTIONS HTTP Method
- Fix CORS headers
- Swagger Generator
- Logging
- Use PSR-15 Complitable Middleware and Handlers Interfaces
- CLI Application error on start
- Increase test coverage HOT 1
- Nested query params doesn't pasring corrent when use AERYS_HTTP_DRIVER HOT 1
- Сompatibility with 7.2
- Upgrade Ratcher to 0.4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rest-daemon.