This is the CORS handler for Leaf.
You can easily install it using leaf cli
leaf install corsor with Composer:
composer require leafs/corsAfter installing the cors module, the cors module is automatically linked to the leaf app and can be used directly without referencing it anywhere.
require __DIR__ . "/vendor/autoload.php";
$app = new Leaf\App;
$app->cors();
$app->get('/products/{id}', function () use($app) {
$app->response()->json(['message' => 'This is CORS-enabled for all origins!']);
});
$app->run();You can alternatively call Leaf\Http\Cors::config() instead of $app->cors() in the example above.
require __DIR__ . '/vendor/autoload.php';
$app = new Leaf\App;
$app->cors([
'origin' => 'http://example.com',
'optionsSuccessStatus' => 200 // some legacy browsers (IE11, various SmartTVs) choke on 204
]);
$app->get('/products/{id}', function () use($app) {
$app->response()->json(['message' => 'This is CORS-enabled for all origins!']);
});
$app->run();origin: Configures the Access-Control-Allow-Origin CORS header. Possible values:String- setoriginto a specific origin. For example if you set it to"http://example.com"only requests from "http://example.com" will be allowed.RegExp (in string form)- setoriginto a regular expression pattern which will be used to test the request origin. If it's a match, the request origin will be reflected. For example the pattern'/example\.com$/'will reflect any request that is coming from an origin ending with "example.com".Array- setoriginto an array of valid origins. Each origin can be aStringor aRegExp. For example["http://example1.com", '/\.example2\.com$/']will accept any request from "http://example1.com" or from a subdomain of "example2.com".Function- setoriginto a function implementing some custom logic. The function takes the request origin as the first parameter and a callback (called ascallback(err, origin), whereoriginis a non-function value of theoriginoption) as the second.
methods: Configures the Access-Control-Allow-Methods CORS header. Expects a comma-delimited string (ex: 'GET,PUT,POST') or an array (ex:['GET', 'PUT', 'POST']).allowedHeaders: Configures the Access-Control-Allow-Headers CORS header. Expects a comma-delimited string (ex: 'Content-Type,Authorization') or an array (ex:['Content-Type', 'Authorization']). If not specified, defaults to reflecting the headers specified in the request's Access-Control-Request-Headers header.exposedHeaders: Configures the Access-Control-Expose-Headers CORS header. Expects a comma-delimited string (ex: 'Content-Range,X-Content-Range') or an array (ex:['Content-Range', 'X-Content-Range']). If not specified, no custom headers are exposed.credentials: Configures the Access-Control-Allow-Credentials CORS header. Set totrueto pass the header, otherwise it is omitted.maxAge: Configures the Access-Control-Max-Age CORS header. Set to an integer to pass the header, otherwise it is omitted.preflightContinue: Pass the CORS preflight response to the next handler.optionsSuccessStatus: Provides a status code to use for successfulOPTIONSrequests, since some legacy browsers (IE11, various SmartTVs) choke on204.
The default configuration is the equivalent of:
{
"origin": "*",
"methods": "GET,HEAD,PUT,PATCH,POST,DELETE",
"allowedHeaders": "*",
"exposedHeaders": "",
"credentials": false,
"maxAge": null,
"preflightContinue": false,
"optionsSuccessStatus": 204,
}