Level 9
@lukasoppermann Take a look at this package (https://github.com/barryvdh/laravel-cors)
Jul 29, 2015
4
Level 1
CORS restrict Access-Control-Allow-Origin to certain domains.
Hey,
so I have an api and some of the routes should only be accessible by specific domains. Of course I have oAuth implemented, so the request needs to provide an access token, but I figured it might make sense to restrict the routes to certain domains.
I could of course check the Origin header and compare it to an array of domains, but I am not sure this is correct.
How would I implement something like this? Does it even make sense? Is there any good, not so theoretical resource on CORS? All I found was basically for allowing all domains Access-Control-Allow-Origin: * but this is not what I need.
Level 1
Hey @binalfew I saw this, but it does not really help, I think.
It will not let you do route-specific headers.
Actually if you look inside the package here, he does a simple check like I suggested, using the Origin header. https://github.com/barryvdh/laravel-cors/blob/master/src/HandleCors.php#L67 But I am not sure if this is a secure and good idea. Is there any info on this?
Level 1
It seems to not be feasible, as GET Requests do not necessary carry an origin header and it seems you can not force one to be included.
Level 1
You have to remember CORS is not access control system and you should not expect all cross-origin requests will have pre-flights that could be handled by middleware. For so-called 'simple' methods with so-called 'simple' headers request will be made without pre-flight. Thus you can not restrict such requests with CORS and should use other means. For example method 'GET' without any headers or with only 'simple' headers will not have pre-flight request so disabling it will not restrict access to resource(s).
Also folks who use tools like curl or similar can send you any header so you can't rely on that data as they are not protected by cryptography. You should implement 'usual' protection with Bearer/Basic/etc Authentication and authorization.
If you are OK that your protection works only for browsers CORS is totally fine (however you should remember about 'simple' methods and headers).
I'll leave here a link to my CORS implementation which is closer to CORS specification https://github.com/neomerx/cors-illuminate
2 likes
Please or to participate in this conversation.