CORS¶
Die Klasse \Alvine\Application\Web\Router\CORS\Strategy
und \Alvine\Application\Web\Router\CORS\PreflightStrategy
werden vom Router aufgerufen und
sorgen für das Senden der richtigen Header.
Konfiguration¶
# Cross-Origin Resource Sharing
# @see https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
# @see https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request
#
# Unlike simple requests, for "preflighted" requests the browser first sends an HTTP request using the OPTIONS
# method to the resource on the other origin, in order to determine if the actual request is safe to send.
# Such cross-site requests are preflighted since they may have implications for user data.
application.web.routing.cors.preflight.class=\Alvine\Application\Web\Router\CORS\PreflightStrategy
# Preflighted requests
# @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
# This field allows only one host and no list, therefore you configure a comma-separated list at this
# point which is allowed. A value is taken from this list which fits.
# application.web.routing.cors.preflight.origins=https://www.example.com
# Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in
# the response must not be the wildcard '*' when the request's credentials mode is 'include'.
# With the placeholder ** you can set the requested host.
application.web.routing.cors.preflight.origins=**
# Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
# @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
# application.web.routing.cors.preflight.headers=[<header-name>[, <header-name>]*]
# application.web.routing.cors.preflight.headers=DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
# application.web.routing.cors.preflight.headers=*
application.web.routing.cors.preflight.headers=**
# Access-Control-Allow-Methods: POST, GET, OPTIONS
# @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
# application.web.routing.cors.preflight.methods=<method>, <method>, ...
# application.web.routing.cors.preflight.methods=*
application.web.routing.cors.preflight.methods=**
# Access-Control-Max-Age: 86400
# @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
# application.web.routing.cors.preflight.maxage=<delta-seconds>
# application.web.routing.cors.preflight.maxage=86400
application.web.routing.cors.preflight.maxage=86400
# The value of the 'Access-Control-Allow-Credentials' header in the response must be 'true'
# when the request's credentials mode is 'include'.
# @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
application.web.routing.cors.preflight.allow-credentials=true
# CORS
# this class is built if a request uses CORS.
# @see https://developer.mozilla.org/de/docs/Web/HTTP/CORS
# to them preflight see above
application.web.routing.cors.class=\Alvine\Application\Web\Router\CORS\Strategy
# CORS-Headers
application.web.routing.cors.cors.expose-headers=
# With the placeholder ** you can set the requested host.
application.web.routing.cors.origins=**
application.web.routing.cors.allow-credentials=true