Do not crash application if custom scheme is not registered #50
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If custom url scheme such as "chrome-extension" is not registered, request with header "Origin: chrome-extension://..." will crush application:
PHP Fatal error: Uncaught Zend\Uri\Exception\InvalidArgumentException: no class registered for scheme "chrome-extension" in /vendor/zendframework/zend-uri/src/UriFactory.php:104
Stack trace:
#0 /vendor/zendframework/zend-http/src/Header/Origin.php(32): Zend\Uri\UriFactory::factory('chrome-extensio...')
#1 /vendor/zendframework/zend-http/src/Headers.php(446): Zend\Http\Header\Origin::fromString('Origin: chrome-...')
#2 /vendor/zendframework/zend-http/src/Headers.php(285): Zend\Http\Headers->lazyLoadHeader(4)
#3 /vendor/zfr/zfr-cors/src/ZfrCors/Service/CorsService.php(70): Zend\Http\Headers->get('Origin')
#4 /vendor/zfr/zfr-cors/src/ZfrCors/Mvc/CorsRequestListener.php(89): ZfrCors\Service\CorsService->isCorsRequest(Object(ZF\ContentNegotiation\Request))
It happens because nobody catch InvalidArgumentException from UriFactory in Zend\Http\Header\Origin::fromString.
Requests with "Origin: chrome-extension://..." or "Origin: moz-extension://..." sometimes occur on my production site. This requests are sent from my site users, that is why I can't just register several custom url schemes in my onBootstrap().
I think it would be better to response with 400 code (as described in CorsRequestListener->onCorsPreflight), than to crush application with 500 error.