5 * Allows Cross-origin resource sharing.
9 * Implements hook_menu().
11 function cors_menu() {
14 $items['admin/config/services/cors'] = array(
16 'description' => 'Enable Cross-origin resource sharing',
17 'page callback' => 'drupal_get_form',
18 'page arguments' => array('cors_admin_form'),
19 'access arguments' => array('administer site configuration'),
26 * CORS admin configuration form.
28 function cors_admin_form($form, &$form_state) {
32 foreach (variable_get('cors_domains', array()) as $path => $domain) {
33 $cors_domains .= $path . '|' . $domain . "\n";
36 $form['cors_domains'] = array(
37 '#type' => 'textarea',
38 '#title' => t('Domains'),
39 '#description' => t('A list of paths and corresponding domains to enable for CORS. Multiple entries should be separated by a comma. Enter one value per line separated by a pipe, in this order:
41 <li>Internal path</li>
42 <li>Access-Control-Allow-Origin. Use <mirror> to echo back the Origin header.</li>
43 <li>Access-Control-Allow-Methods</li>
44 <li>Access-Control-Allow-Headers</li>
45 <li>Access-Control-Allow-Credentials</li>
49 <li>*|http://example.com</li>
50 <li>api|http://example.com:8080 http://example.com</li>
51 <li>api/*|<mirror>,https://example.com</li>
52 <li>api/*|<mirror>|POST|Content-Type,Authorization|true</li>
54 '#default_value' => $cors_domains,
58 $form['submit'] = array(
60 '#value' => t('Save configuration'),
67 * CORS admin configuration form submit.
69 function cors_admin_form_submit($form, &$form_state) {
70 $domains = explode("\n", $form_state['values']['cors_domains'], 2);
72 foreach ($domains as $domain) {
73 $domain = explode("|", $domain, 2);
74 if (count($domain) === 2) {
75 $settings[$domain[0]] = (isset($settings[$domain[0]])) ? $settings[$domain[0]] . ' ' : '';
76 $settings[$domain[0]] .= trim($domain[1]);
80 variable_set('cors_domains', $settings);
84 * Implements hook_init().
86 function cors_init() {
87 $domains = variable_get('cors_domains', array());
88 $current_path = drupal_strtolower(drupal_get_path_alias($_GET['q']));
89 $request_headers = getallheaders();
92 'Access-Control-Allow-Origin' => array(),
93 'Access-Control-Allow-Credentials' => array(),
96 'Access-Control-Allow-Methods' => array(),
97 'Access-Control-Allow-Headers' => array(),
100 foreach ($domains as $path => $settings) {
101 $settings = explode("|", $settings);
102 $page_match = drupal_match_path($current_path, $path);
103 if ($current_path != $_GET['q']) {
104 $page_match = $page_match || drupal_match_path($_GET['q'], $path);
107 if (!empty($settings[0])) {
108 $origins = explode(',', trim($settings[0]));
109 foreach ($origins as $origin) {
110 if ($origin === '<mirror>') {
111 if (!empty($request_headers['Origin'])) {
112 $headers['all']['Access-Control-Allow-Origin'][] = $request_headers['Origin'];
116 $headers['all']['Access-Control-Allow-Origin'][] = $origin;
121 if (!empty($settings[1])) {
122 $headers['OPTIONS']['Access-Control-Allow-Methods'] = explode(',', trim($settings[1]));
124 if (!empty($settings[2])) {
125 $headers['OPTIONS']['Access-Control-Allow-Headers'] = explode(',', trim($settings[2]));
127 if (!empty($settings[3])) {
128 $headers['all']['Access-Control-Allow-Credentials'] = explode(',', trim($settings[3]));
133 foreach ($headers as $method => $allowed) {
134 if ($method === 'all' || $method === $_SERVER['REQUEST_METHOD']) {
135 foreach ($allowed as $header => $values) {
136 if (!empty($values)) {
137 foreach ($values as $value) {
138 drupal_add_http_header($header, $value, TRUE);
147 * If running nginx, implement getallheaders ourself.
149 * Code is taken from http://php.net/manual/en/function.getallheaders.php
151 if (!function_exists('getallheaders')) {
152 function getallheaders() {
153 foreach ($_SERVER as $name => $value) {
154 if (substr($name, 0, 5) == 'HTTP_') {
155 $headers[str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))))] = $value;