From ac30d8d1c997d21c914bc9f1725bd9566ea79d16 Mon Sep 17 00:00:00 2001 From: zhenhui <1276357500@qq.com> Date: Sat, 21 Mar 2026 14:01:11 +0800 Subject: [PATCH] =?UTF-8?q?=E6=B5=8B=E8=AF=95=E5=88=86=E6=94=AF-=E9=83=A8?= =?UTF-8?q?=E7=BD=B2-=E4=BC=98=E5=8C=96=E8=B7=A8=E5=9F=9F=E6=8A=A5?= =?UTF-8?q?=E9=94=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/common/middleware/AllowCrossDomain.php | 83 +++++++++++----------- 1 file changed, 41 insertions(+), 42 deletions(-) diff --git a/app/common/middleware/AllowCrossDomain.php b/app/common/middleware/AllowCrossDomain.php index bb8d8b4..347eb79 100644 --- a/app/common/middleware/AllowCrossDomain.php +++ b/app/common/middleware/AllowCrossDomain.php @@ -21,46 +21,6 @@ class AllowCrossDomain implements MiddlewareInterface 'Access-Control-Allow-Headers' => '*', ]; - /** - * 根据 Origin 与配置写入 Access-Control-Allow-Origin。 - * 注意:* 与 Access-Control-Allow-Credentials:true 不能同时出现,故通配时去掉 Credentials。 - */ - private static function applyCorsOrigin(Request $request, array $header): array - { - $origin = $request->header('origin'); - if (is_array($origin)) { - $origin = $origin[0] ?? ''; - } - $origin = is_string($origin) ? trim($origin) : ''; - - $corsDomain = array_map('trim', explode(',', config('buildadmin.cors_request_domain', ''))); - $corsDomain[] = $request->host(true); - $wildcard = in_array('*', $corsDomain); - - if ($origin !== '') { - $info = parse_url($origin); - $host = ''; - if (is_array($info)) { - $host = $info['host'] ?? ''; - } - $allowed = $wildcard - || in_array($origin, $corsDomain) - || in_array($host, $corsDomain) - || ($host === 'localhost' || $host === '127.0.0.1'); - if ($allowed) { - $header['Access-Control-Allow-Origin'] = $origin; - } - return $header; - } - - if ($wildcard) { - $header['Access-Control-Allow-Origin'] = '*'; - unset($header['Access-Control-Allow-Credentials']); - } - - return $header; - } - /** * 返回 CORS 预检(OPTIONS)响应,供路由直接调用(Webman 未匹配路由时不走中间件) */ @@ -72,7 +32,24 @@ class AllowCrossDomain implements MiddlewareInterface 'Access-Control-Allow-Methods' => 'GET, POST, PUT, DELETE, PATCH, OPTIONS', 'Access-Control-Allow-Headers' => 'Content-Type, Authorization, batoken, ba-user-token, think-lang', ]; - $header = self::applyCorsOrigin($request, $header); + $origin = $request->header('origin'); + if (is_array($origin)) { + $origin = $origin[0] ?? ''; + } + $origin = is_string($origin) ? trim($origin) : ''; + if ($origin !== '') { + $info = parse_url($origin); + $host = $info['host'] ?? ''; + $corsDomain = array_map('trim', explode(',', config('buildadmin.cors_request_domain', ''))); + $corsDomain[] = $request->host(true); + $allowed = in_array('*', $corsDomain) + || in_array($origin, $corsDomain) + || in_array($host, $corsDomain) + || ($host === 'localhost' || $host === '127.0.0.1'); + if ($allowed) { + $header['Access-Control-Allow-Origin'] = $origin; + } + } return response('', 204, $header); } @@ -83,7 +60,29 @@ class AllowCrossDomain implements MiddlewareInterface return $handler($request); } - $header = self::applyCorsOrigin($request, $this->header); + $header = $this->header; + + $origin = $request->header('origin'); + if (is_array($origin)) { + $origin = $origin[0] ?? ''; + } + $origin = is_string($origin) ? trim($origin) : ''; + + if ($origin !== '') { + $info = parse_url($origin); + $host = $info['host'] ?? ''; + $corsDomain = array_map('trim', explode(',', config('buildadmin.cors_request_domain', ''))); + $corsDomain[] = $request->host(true); + + $allowed = in_array('*', $corsDomain) + || in_array($origin, $corsDomain) + || in_array($host, $corsDomain) + || ($host === 'localhost' || $host === '127.0.0.1'); + + if ($allowed) { + $header['Access-Control-Allow-Origin'] = $origin; + } + } if ($request->method() === 'OPTIONS') { return response('', 204, $header);