Remove null 'Access-Control-Allow-Origin' if origin check has failed (#…

…131)

EventListener/CorsListener.php

@@ -143,7 +143,7 @@ protected function getPreflightResponse(Request $request, array $options)
         }
 
         if (!$this->checkOrigin($request, $options)) {
-            $response->headers->set('Access-Control-Allow-Origin', 'null');
+            $response->headers->remove('Access-Control-Allow-Origin');
 
             return $response;
         }

Tests/CorsListenerTest.php

@@ -182,6 +182,29 @@ public function testSameHostRequest()
         $this->assertNull($event->getResponse());
     }
 
+    public function testPreflightedRequestWithOriginButNo()
+    {
+        $options = array(
+            'allow_origin' => array(),
+            'allow_methods' => array('POST', 'PUT'),
+        );
+
+        $req = Request::create('/foo', 'OPTIONS');
+        $req->headers->set('Host', 'example.com');
+        $req->headers->set('Origin', 'http://evil.com');
+        $req->headers->set('Access-Control-Request-Method', 'POST');
+
+        $dispatcher = m::mock('Symfony\Component\EventDispatcher\EventDispatcherInterface');
+        $dispatcher->shouldReceive('addListener')->times(0);
+
+        $event = new GetResponseEvent(m::mock('Symfony\Component\HttpKernel\HttpKernelInterface'), $req, HttpKernelInterface::MASTER_REQUEST);
+        $this->getListener($dispatcher, $options)->onKernelRequest($event);
+        $resp = $event->getResponse();
+        $this->assertInstanceOf('Symfony\Component\HttpFoundation\Response', $resp);
+        $this->assertEquals(200, $resp->getStatusCode());
+        $this->assertNull($resp->headers->get('Access-Control-Allow-Origin'));
+    }
+
     public function testRequestWithOriginButNo()
     {
         // Request with same host as origin