README

Description

Help setting up cross-origin resource sharing in your papi.

This module is based on the official tutorial.

Prerequisites Modules

• Dotenv
• Http Error

Configuration

CORS_ORIGIN (.ENV)

CORS_METHODS (.ENV)

CORS_MAX_AGE (.ENV)

CORS_HEADERS (.ENV)

CORS_EXPOSE_HEADERS (.ENV)

Usage

You can add the following options to your .env file:

CORS_PRIORITY=1
CORS_ORIGIN=plop.fr
CORS_HEADERS="Content-Type, x-requested-with"
CORS_EXPOSE_HEADERS="Content-Encoding, Foo-Bar"
CORS_METHODS="GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD"

Import the module when creating your application:

require __DIR__ . "/../vendor/autoload.php";

use Papi\PapiBuilder;
use Papimod\Dotenv\DotEnvModule;
use Papimod\Common\CommonModule;
use Papimod\HttpError\HttpErrorModule;
use Papimod\Cors\CorsModule;
use function DI\create;

$builder = new PapiBuilder();

$builder
    ->setModule(
        DotEnvModule::class, # Prerequisite
        CommonModule::class, # Prerequisite of HttpErrorModule
        HttpErrorModule::class, # Prerequisite
        CorsModule::class
    )
    ->build()
    ->run();

MDN Recommendations

• The server must not specify the * wildcard for the Access-Control-Allow-Origin response-header value, but must instead specify an explicit origin; for example: Access-Control-Allow-Origin: https://example.com

• The server must not specify the * wildcard for the Access-Control-Allow-Headers response-header value, but must instead specify an explicit list of header names; for example, Access-Control-Allow-Headers: X-PINGOTHER, Content-Type

• The server must not specify the * wildcard for the Access-Control-Allow-Methods response-header value, but must instead specify an explicit list of method names; for example, Access-Control-Allow-Methods: POST, GET

• The server must not specify the * wildcard for the Access-Control-Expose-Headers response-header value, but must instead specify an explicit list of header names; for example, Access-Control-Expose-Headers: Content-Encoding, Kuma-Revision