CORS support #82
CORS support #82
Conversation
| @@ -43,6 +43,12 @@ return array( | |||
| * or manually use the AcceptableViewModelSelector to return the right model according to Content-Type | |||
| */ | |||
| // 'register_select_model' => true, | |||
|
|
|||
| /** | |||
| * If this listener is registered (it is not by default), it will check before routing any request | |||
| /** @var $response HttpResponse */ | ||
| $response = $event->getResponse(); | ||
| $origin = $request->getHeader('Origin', null); | ||
| if ($origin !== null) { |
There was a problem hiding this comment.
We should avoid nesting too much. Do it the other way, say:
if ($origin === null) {
return;
}
This avoid a large number of nesting.
|
ping @asm89 can you look into this since you got some experience? :) |
| /** | ||
| * Set the list of rest method verbs. | ||
| */ | ||
| // 'allowed_methods' => array('GET, POST, PUT, DELETE, OPTIONS'), |
There was a problem hiding this comment.
I thin there is an error in the exemple. It should be array('GET', 'POST', 'PUT'...).
|
Except a few more CS, it looks very good to me :). Just write a few tests and documentation and I think it'll be a nice feature to have. |
|
|
||
| $this->corsListener->onCors($this->event); | ||
|
|
||
| $this->assertNotEquals(204, $this->event->getResponse()->getStatusCode()); |
There was a problem hiding this comment.
Isn't there some standard about which status code a CORS request should send in case the CORS is not authorized?
There was a problem hiding this comment.
You prefer return 401 status code instead of nothing ?
There was a problem hiding this comment.
I think 401 is a great choice. Once again, please refer on the internet if there is a widely used convention for that.
There was a problem hiding this comment.
401 = unauthenticated. 403 = unauthorized
On 25 Aug 2013 12:27, "Michaël Gallego" notifications@github.com wrote:
In tests/ZfrRestTest/Mvc/CorsListenerTest.php:
$this->corsListener->onCors($this->event);
$this->assertNotEquals(204, $this->event->getResponse()->getStatusCode());- }
- public function testIfAccessControlRequestMethodIsNotInRequest()
- {
$request = new HttpRequest();$request->setMethod('options');$request->getHeaders()->addHeaderLine('Origin', 'origin-header');
$this->event->setRequest($request);
$this->corsListener->onCors($this->event);
$this->assertNotEquals(204, $this->event->getResponse()->getStatusCode());I think 401 is a great choice. Once again, please refer on the internet if
there is a widely used convention for that.—
Reply to this email directly or view it on GitHubhttps://github.com//pull/82/files#r5968031
.
There was a problem hiding this comment.
Ok, so 403 makes more sense then ;-). Thanks for the clarification Marco.
|
@Orkin after discussing a bit with @bakura10 we thought of moving this to a new This needs a bit more of thought, but doesn't clutter zfr-rest with logic that is currently not interacting with the routes/resources at all. What it could be (after this patch, of course - we don't want to push functionality too far):
Just some ideas, but as you can see, the @bakura10 is setting up a repository and can give you commit access to it I suppose. |
|
I'm closing this as we'll have a ZfrCors soon. |
No description provided.