flowpack / cors
Neos Flow 的 CORS HTTP 组件(中间件)
v1.0.0-alpha2
2021-08-20 10:20 UTC
Requires
- neos/flow: ^4.0 || ^5.0 || ^6.0
This package is auto-updated.
Last update: 2024-09-20 16:46:25 UTC
README
为 Flow 框架提供完整功能的 CORS HTTP 组件(也称为中间件),允许“跨域”请求。
⚡️ Warning
This package is not working with version 7.0 and higher of the Neos/Flow framework.
In version 7.0 we introduced PSR-15 Middlewares and it is possible to use other PHP libraries instead.
For instance https://github.com/tuupola/cors-middleware
背景
此包是跨源资源共享(CORS)中间件的实现(参见 https://mdn.org.cn/en-US/docs/Glossary/CORS)。这允许 web 应用的客户端(浏览器)执行“跨域”请求。
这项工作部分基于 Go 编程语言的优秀 HTTP 中间件 github.com/rs/cors。
安装
composer require flowpack/cors
(有关更多详细信息,请参阅 composer 文档)
默认设置在 Flow 开发环境中启用了对所有来源(*
)的 CORS。在生产环境中通常不希望这样。
配置
在您的包或全局 Settings.yaml
(请参阅 Flow 框架配置)。
在生产环境中启用 CORS
Flowpack:
Cors:
enabled: true
allowedOrigins:
- 'trusted-domain.tld'
添加额外的允许头(例如 Authorization
)
Flowpack:
Cors:
allowedHeaders:
# defaults
- 'Origin'
- 'Accept'
- 'Content-Type'
# additional headers
- 'Authorization'
注意:确保在配置中设置 所有 数组值,包括默认值(如果您想保留它们),因为 Flow 配置与带数字键的配置合并,可能导致不希望的效果。
配置参考
Flowpack:
Cors:
enabled: false
# A list of origins a cross-domain request can be executed from
# If the special * value is present in the list, all origins will be allowed.
# An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com).
# Only one wildcard can be used per origin.
#
allowedOrigins:
- '*'
# A list of methods the client is allowed to use with cross-domain requests.
#
allowedMethods:
- 'GET'
- 'POST'
# A list of non simple headers the client is allowed to use with cross-domain requests.
#
allowedHeaders:
- 'Origin'
- 'Accept'
- 'Content-Type'
# Indicates which headers are safe to expose to the API of a CORS API specification
#
exposedHeaders: []
# Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.
#
allowCredentials: false
# Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.
#
maxAge: 0
# Instructs preflight to let other potential next components to process the OPTIONS method. Turn this on if your application handles OPTIONS.
#
optionsPassthrough: false
# Debugging flag adds additional logging to System.log to debug server-side CORS issues.
#
debug: false