diff --git a/src/controllers/API.php b/src/controllers/API.php index 6c547d6..be400d0 100644 --- a/src/controllers/API.php +++ b/src/controllers/API.php @@ -26,12 +26,49 @@ public function __construct() // Set the Content-Type header to application/json header("Content-Type:application/json"); - // Allow access from any origin (CORS) - header('Access-Control-Allow-Origin: *'); + // Allow access from any origin to avoid CORS issues + $this->cors(); $this->resource = Utility::splitURL()[2] ?? ""; } + /** + * An example CORS-compliant method. It will allow any GET, POST, or OPTIONS requests from any + * origin. + * + * In a production environment, you probably want to be more restrictive, but this gives you + * the general idea of what is involved. For the nitty-gritty low-down, read: + * + * - https://developer.mozilla.org/en/HTTP_access_control + * - https://fetch.spec.whatwg.org/#http-cors-protocol + * Reference: https://stackoverflow.com/a/9866124/17627866 + */ + private function cors(): void + { + // Allow from any origin + if (isset($_SERVER['HTTP_ORIGIN'])) { + // Decide if the origin in $_SERVER['HTTP_ORIGIN'] is one + // you want to allow, and if so: + header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}"); + header('Access-Control-Allow-Credentials: true'); + header('Access-Control-Max-Age: 86400'); // cache for 1 day + } + + // Access-Control headers are received during OPTIONS requests + if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') { + if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'])) // may also be using PUT, PATCH, HEAD etc + { + header("Access-Control-Allow-Methods: GET, POST, OPTIONS"); + } + + if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) { + header("Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}"); + } + + exit(0); + } + } + /** * Checks if root relative url starts with api/v1 * @return bool