php-cors icon indicating copy to clipboard operation
php-cors copied to clipboard
verified publisher icon fruitcake

Unsafe `Access-Control-Allow-Headers` behavior

Open jyxjjj opened this issue 7 months ago • 2 comments

I found this at laravel 12.17.0 with php-cors 1.3.0 path: vendor/fruitcake/php-cors/src/CorsService.php

$this->allowAllHeaders = in_array('*', $this->allowedHeaders);

if ($this->allowAllHeaders === true) {
    $allowHeaders = (string) $request->headers->get('Access-Control-Request-Headers');
    $this->varyHeader($response, 'Access-Control-Request-Headers');
}

$response->headers->set('Access-Control-Allow-Headers', $allowHeaders);

And this at MDN

Any header. The value * only counts as a special wildcard value for requests without credentials (requests without [HTTP cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies) or HTTP authentication information). In requests with credentials, it is treated as the literal header name * without special semantics. The [Authorization](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Authorization) header doesn't accept wildcard and always needs to be listed explicitly.

So we should check if supports_credentials is true to generate Access-Control-Request-Headers right?

jyxjjj avatar Jun 10 '25 06:06 jyxjjj