kang
5e73dc6ec1
- 新增 CORS_ALLOWED_ORIGINS 和 CORS_ALLOWED_ORIGINS_PATTERNS 以支持跨域请求的来源白名单配置。 - 添加 CORS_MAX_AGE 和 CORS_SUPPORTS_CREDENTIALS 选项,增强跨域请求的灵活性与安全性。
88 lines
2.8 KiB
PHP
88 lines
2.8 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
$allowedOrigins = array_values(array_filter(array_map(
|
|
static fn (string $origin): string => trim($origin),
|
|
explode(',', (string) env('CORS_ALLOWED_ORIGINS', ''))
|
|
), static fn (string $origin): bool => $origin !== ''));
|
|
|
|
$allowedOriginsPatterns = array_values(array_filter(array_map(
|
|
static fn (string $pattern): string => trim($pattern),
|
|
explode(',', (string) env('CORS_ALLOWED_ORIGINS_PATTERNS', ''))
|
|
), static fn (string $pattern): bool => $pattern !== ''));
|
|
|
|
return [
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| CORS Paths
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
| Only API and broadcasting/auth endpoints need CORS handling.
|
|
|
|
|
*/
|
|
'paths' => ['api/*', 'broadcasting/auth'],
|
|
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| Allowed Methods
|
|
|--------------------------------------------------------------------------
|
|
*/
|
|
'allowed_methods' => ['*'],
|
|
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| Allowed Origins
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
| Use explicit domain whitelist in production. Do not use *.
|
|
|
|
|
*/
|
|
'allowed_origins' => $allowedOrigins,
|
|
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| Allowed Origin Patterns
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
| Optional regex-style patterns for controlled wildcard subdomains.
|
|
|
|
|
*/
|
|
'allowed_origins_patterns' => $allowedOriginsPatterns,
|
|
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| Allowed Headers
|
|
|--------------------------------------------------------------------------
|
|
*/
|
|
'allowed_headers' => ['*'],
|
|
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| Exposed Headers
|
|
|--------------------------------------------------------------------------
|
|
*/
|
|
'exposed_headers' => [],
|
|
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| Max Age
|
|
|--------------------------------------------------------------------------
|
|
*/
|
|
'max_age' => (int) env('CORS_MAX_AGE', 0),
|
|
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| Supports Credentials
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
| Enable only if browser cross-site cookie auth is required.
|
|
|
|
|
*/
|
|
'supports_credentials' => filter_var(
|
|
env('CORS_SUPPORTS_CREDENTIALS', false),
|
|
FILTER_VALIDATE_BOOL
|
|
),
|
|
];
|
|
|