diff --git a/CHANGELOG.md b/CHANGELOG.md index 5ee7853..8d299a8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +# 1.1.2 + +- ZfrCors now properly detects a CORS request if the scheme is different. + # 1.1.1 - ZfrCors now properly detects a CORS request if the port is different. diff --git a/src/ZfrCors/Service/CorsService.php b/src/ZfrCors/Service/CorsService.php index 56ce79b..bf28405 100644 --- a/src/ZfrCors/Service/CorsService.php +++ b/src/ZfrCors/Service/CorsService.php @@ -65,9 +65,12 @@ public function isCorsRequest(HttpRequest $request) $originUri = UriFactory::factory($headers->get('Origin')->getFieldValue()); $requestUri = $request->getUri(); - $equivHosts = $originUri->getHost() === $requestUri->getHost(); - $equivPorts = $originUri->getPort() === $requestUri->getPort(); - return (!$equivHosts || !$equivPorts); + // According to the spec (http://tools.ietf.org/html/rfc6454#section-4), we should check host, port and scheme + + return (!($originUri->getHost() === $requestUri->getHost()) + || !($originUri->getPort() === $requestUri->getPort()) + || !($originUri->getScheme() === $requestUri->getScheme()) + ); } /** diff --git a/tests/ZfrCorsTest/Service/CorsServiceTest.php b/tests/ZfrCorsTest/Service/CorsServiceTest.php index 34c657c..233a52a 100644 --- a/tests/ZfrCorsTest/Service/CorsServiceTest.php +++ b/tests/ZfrCorsTest/Service/CorsServiceTest.php @@ -253,4 +253,12 @@ public function testCanDetectCorsRequestFromSameHostButDifferentPort() $request->getHeaders()->addHeaderLine('Origin', 'http://example.com:9000'); $this->assertTrue($this->corsService->isCorsRequest($request)); } + + public function testCanDetectCorsRequestFromSameHostButDifferentScheme() + { + $request = new HttpRequest(); + $request->setUri('https://example.com'); + $request->getHeaders()->addHeaderLine('Origin', 'http://example.com'); + $this->assertTrue($this->corsService->isCorsRequest($request)); + } }