Multiple ESI Tokens #32

- CORS: Add "Content-Type" to allowed headers.
tkhamez · Jul 25, 2021 · 39e04ca · 39e04ca
1 parent b8d2d77
commit 39e04ca
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/backend/src/Middleware/Psr15/Cors.php b/backend/src/Middleware/Psr15/Cors.php
@@ -55,7 +55,7 @@ private function addHeader(ServerRequestInterface $request, ResponseInterface $r
             $response = $response
                 ->withHeader('Access-Control-Allow-Origin', $origin)
                 #->withHeader('Access-Control-Allow-Headers', 'Authorization')
-                ->withHeader('Access-Control-Allow-Headers', CSRFToken::CSRF_HEADER_NAME)
+                ->withHeader('Access-Control-Allow-Headers', [CSRFToken::CSRF_HEADER_NAME, 'Content-Type'])
                 ->withHeader('Access-Control-Allow-Credentials', 'true')
                 ->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
             ;

diff --git a/backend/tests/Unit/Middleware/Psr15/CorsTest.php b/backend/tests/Unit/Middleware/Psr15/CorsTest.php
@@ -16,15 +16,15 @@ class CorsTest extends TestCase
     public function testAddsHeader()
     {
         $req = RequestFactory::createRequest();
-        $req = $req->withHeader('HTTP_ORIGIN', 'https://domain.tld');
+        $req = $req->withHeader('HTTP_ORIGIN', 'https://domain1.tld');
 
-        $cors = new Cors(new ResponseFactory(), ['https://domain.tld', 'https://domain2.tld']);
+        $cors = new Cors(new ResponseFactory(), ['https://domain1.tld', 'https://domain2.tld']);
         $response = $cors->process($req, new RequestHandler());
 
         $headers = $response->getHeaders();
         $this->assertSame([
-            'Access-Control-Allow-Origin' => ['https://domain.tld'],
-            'Access-Control-Allow-Headers' => [CSRFToken::CSRF_HEADER_NAME],
+            'Access-Control-Allow-Origin' => ['https://domain1.tld'],
+            'Access-Control-Allow-Headers' => [CSRFToken::CSRF_HEADER_NAME, 'Content-Type'],
             'Access-Control-Allow-Credentials' => ['true'],
             'Access-Control-Allow-Methods' => ['GET, POST, PUT, DELETE, OPTIONS'],
         ], $headers);
@@ -33,9 +33,9 @@ public function testAddsHeader()
     public function testDoesNotAddHeader()
     {
         $req = RequestFactory::createRequest();
-        $req = $req->withHeader('HTTP_ORIGIN', 'http://domain.tld');
+        $req = $req->withHeader('HTTP_ORIGIN', 'https://domain3.tld');
 
-        $cors = new Cors(new ResponseFactory(), ['https://domain.tld', 'https://domain2.tld']);
+        $cors = new Cors(new ResponseFactory(), ['https://domain1.tld', 'https://domain2.tld']);
         $response = $cors->process($req, new RequestHandler());
 
         $this->assertSame([], $response->getHeaders());