Merge pull request #20 from zf-fr/scheme

Add detection of scheme
zf-fr · Dec 18, 2013 · f48f898 · f48f898
2 parents eb36cd5 + 44590b8
commit f48f898
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+# 1.1.2
+
+- ZfrCors now properly detects a CORS request if the scheme is different.
+
 # 1.1.1
 
 - ZfrCors now properly detects a CORS request if the port is different.

diff --git a/src/ZfrCors/Service/CorsService.php b/src/ZfrCors/Service/CorsService.php
@@ -65,9 +65,12 @@ public function isCorsRequest(HttpRequest $request)
         $originUri  = UriFactory::factory($headers->get('Origin')->getFieldValue());
         $requestUri = $request->getUri();
 
-        $equivHosts = $originUri->getHost() === $requestUri->getHost();
-        $equivPorts = $originUri->getPort() === $requestUri->getPort();
-        return (!$equivHosts || !$equivPorts);
+        // According to the spec (http://tools.ietf.org/html/rfc6454#section-4), we should check host, port and scheme
+
+        return (!($originUri->getHost() === $requestUri->getHost())
+            || !($originUri->getPort() === $requestUri->getPort())
+            || !($originUri->getScheme() === $requestUri->getScheme())
+        );
     }
 
     /**

diff --git a/tests/ZfrCorsTest/Service/CorsServiceTest.php b/tests/ZfrCorsTest/Service/CorsServiceTest.php
@@ -253,4 +253,12 @@ public function testCanDetectCorsRequestFromSameHostButDifferentPort()
         $request->getHeaders()->addHeaderLine('Origin', 'http://example.com:9000');
         $this->assertTrue($this->corsService->isCorsRequest($request));
     }
+
+    public function testCanDetectCorsRequestFromSameHostButDifferentScheme()
+    {
+        $request = new HttpRequest();
+        $request->setUri('https://example.com');
+        $request->getHeaders()->addHeaderLine('Origin', 'http://example.com');
+        $this->assertTrue($this->corsService->isCorsRequest($request));
+    }
 }