flowpack/cors

Neos Flow 的 CORS HTTP 组件(中间件)

维护者

详细信息

github.com/Flowpack/Flowpack.Cors

源代码

问题

安装次数: 14,390

依赖者: 0

建议者: 0

安全: 0

星标: 4

关注者: 12

分支: 3

公开问题: 1

类型:neos-package

v1.0.0-alpha2 2021-08-20 10:20 UTC

Requires

LGPL-3.0+ 3250d51bf6cfad756aebfadc50c7b08f3f1838dc

This package is auto-updated.

Last update: 2024-09-20 16:46:25 UTC

README

为 Flow 框架提供完整功能的 CORS HTTP 组件(也称为中间件),允许“跨域”请求。

⚡️ Warning

This package is not working with version 7.0 and higher of the Neos/Flow framework.
In version 7.0 we introduced PSR-15 Middlewares and it is possible to use other PHP libraries instead.

For instance https://github.com/tuupola/cors-middleware

背景

此包是跨源资源共享(CORS)中间件的实现(参见 https://mdn.org.cn/en-US/docs/Glossary/CORS)。这允许 web 应用的客户端(浏览器)执行“跨域”请求。

这项工作部分基于 Go 编程语言的优秀 HTTP 中间件 github.com/rs/cors

安装

composer require flowpack/cors

(有关更多详细信息,请参阅 composer 文档)

默认设置在 Flow 开发环境中启用了对所有来源(*)的 CORS。在生产环境中通常不希望这样。

配置

在您的包或全局 Settings.yaml(请参阅 Flow 框架配置)。

在生产环境中启用 CORS

Flowpack:
  Cors:

    enabled: true
    
    allowedOrigins:
      - 'trusted-domain.tld'

添加额外的允许头(例如 Authorization

Flowpack:
  Cors:

    allowedHeaders:
      # defaults
      - 'Origin'
      - 'Accept'
      - 'Content-Type'
      # additional headers
      - 'Authorization'

注意:确保在配置中设置 所有 数组值,包括默认值(如果您想保留它们),因为 Flow 配置与带数字键的配置合并,可能导致不希望的效果。

配置参考

Flowpack:
  Cors:

    enabled: false

    # A list of origins a cross-domain request can be executed from
    # If the special * value is present in the list, all origins will be allowed.
    # An origin may contain a wildcard (*) to replace 0 or more characters (i.e.: http://*.domain.com).
    # Only one wildcard can be used per origin.
    #
    allowedOrigins:
      - '*'

    # A list of methods the client is allowed to use with cross-domain requests.
    #
    allowedMethods:
      - 'GET'
      - 'POST'

    # A list of non simple headers the client is allowed to use with cross-domain requests.
    #
    allowedHeaders:
      - 'Origin'
      - 'Accept'
      - 'Content-Type'

    # Indicates which headers are safe to expose to the API of a CORS API specification
    #
    exposedHeaders: []

    # Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.
    #
    allowCredentials: false

    # Indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.
    #
    maxAge: 0

    # Instructs preflight to let other potential next components to process the OPTIONS method. Turn this on if your application handles OPTIONS.
    #
    optionsPassthrough: false

    # Debugging flag adds additional logging to System.log to debug server-side CORS issues.
    #
    debug: false