fruitcake / laravel-cors Goto Github PK

View Code? Open in Web Editor NEW

6.3K 87.0 616.0 372 KB

Adds CORS (Cross-Origin Resource Sharing) headers support in your Laravel application

License: MIT License

PHP 100.00%

php laravel middleware cors hacktoberfest

laravel-cors's People

Contributors

Stargazers

Watchers

Forkers

fhferreira illustriousadvancements binhqx samuelcasas sd031 lhidalgo42 rap2hpoutre adamwaheed timothyloyer carlosuh kjghja jadulled janusnic mintbridge cloud4bpm yosvelquintero dennyloko jandetlefsen sachintaware fabriciosilva explore-laravel nzwddy rakesh-mohanta webpatser bran921007 mtdavidson webappventures anteriovieira thantai574 powercen dcarrith egeriis jamesforks mrlsoares rcal mbazalik mossey imjerrybao ymnl007 edsonalvesan itanortega sonnyshen nagahshi daedeloth marktinsley danhunsaker hootlex atayahmet rockymontana arissetyawan honeroku noohkvm larawos cbecke1 iamonuwa kidsk jrean kabooodle alpfish smithwebster bellalmohamed royalwang mdk3modules martintern borutjures rahmatcmos danmichaelo boyana86 uberflip abhishekrohilla moocbook mrcarlosdev ocliuziyang echobool brucewu16899 jwh315 aissakhan hamzahmidani sheraken dcastrili yessica54 lamoimage jenalgit mikkolukkari 7758285 jaasaria shojibflamon omarelebiary nyanlynnhtut gmann1982 wolg pagmovel diegofelipe86 aliayoubi austenc zengfanyao snsm hoangquanghuy zhouxiaokai outhebox

laravel-cors's Issues

The Preflight OPTIONS are returning a cookie which is different

Hello,

Although I set the withCredentials for the angularJS side of the call, the preflight OPTIONS are not sending a cookie but I am receiving one back from Laravel. How can we disable OPTIONS to return a cookie laravel_session?
It messes up the CORS as it sets a new session which will obviously be different on every POST.

Thanks!

see stack overflow thread here: http://stackoverflow.com/questions/28213329/angularjs-laravel-cors-post-stops-after-preflights-options?noredirect=1#comment44793071_28213329

Vary:Origin should be set on response even if Origin:xxx is not on request

If the response does not contain a Origin header, then the Vary:Origin header and CORS headers are not sent on the response. This causes any subsequent HTTP caches (e.g., Varnish) to cache and serve the response without CORS headers for future requests that do specify a valid Origin header.

OPTIONS request returns 405

When I add your package and configure it correctly the OPTIONS pre-flight requests returns a 405. Is this an issue with my webserver by any chance? This is my configuration:

    'paths' => [
        '*' => [
            'allowedOrigins' => ['*'],
            'allowedHeaders' => ['Content-Type'],
            'allowedMethods' => ['POST', 'PUT', 'GET', 'DELETE', 'PATCH', 'OPTIONS'],
            'maxAge' => 3600,
        ],
    ],

If I manually add the headers (and not use your package) everything seems to work though:

header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS");
header("Access-Control-Allow-Headers: Content-Type");

Although it seems then no pre-flight seems to be performed.

Exception handler

Hello,
How can I use this middleware with Laravel 5 app/Exceptions/Handler.php? Because when exception happen, this middleware does not set the headers.
Thanks!

Config file issues

I've updated to laravel 4.1 and since then I'm getting the Origin is not allowed. I haven't change anything in my config file and when checking code is seems that the config file is not loaded from laravel-cors package.

OPTIONS method returning data in response

Although the pre-flight request works fine, I don't understand why it is responding with actual data in the response (see screenshot). As I understand a simple 200 OK response should be sufficient. Is there a setting in laravel-cors to configure this?

Laravel 5.0 Support

With the new middleware implementation in Laravel 5.0 this package no longer works.

302 redirect after preflight?

Is it possible to do a 302 redirect after preflight has occurred? ie: inside a filter that fires before a route. It doesn't appear like it works, but the response seems like something that should be allowed?

Here is a simple filter I was playing w/ that "should" redirect to an invalid session if the access_token is invalid, but it doesn't appear to work.

public function filter($route, $request, $data = null)                       
    {                                                                            
        //  Get the authorization header or fail                                 
        if ($authorization = Request::header('Authorization', false)) {          
            list($type, $token) = explode(' ', $authorization);                  
            if (is_null($auth = OAuth2::token($token)->first())) {               
                return Redirect::to('session/invalid'); // This redirect seems to fail?
            }

            ...

        } else {                                                                 
            //  The authentication header is invalid, redirect to let the user know.
            return Redirect::to('session/invalid');                              
        }                                                                        
    }

I tried fiddling w/ my config options, but nothing has really seemed to work.

return array(
  'defaults' =>  array(
      'allow_credentials' => false,
      'allow_origin'=> array(),
      'allow_headers'=> array(),
      'allow_methods'=> array(),
      'expose_headers'=> array(),
      'max_age' => 0
  ),

  'paths' => array(
      '^/api/' => array(
          'allow_origin'=> array('*'),
          'allow_headers'=> array('Content-Type', 'Authorization'),
          'allow_methods'=> array('POST', 'PUT', 'GET', 'DELETE', 'OPTIONS'),
          'max_age' => 3600
      ),
      '^/session/' => array(
          'allow_origin'=> array('*'),
          'allow_headers'=> array('Content-Type', 'Authorization'),
          'allow_methods'=> array('GET', 'OPTIONS'),
          'max_age' => 3600
      )
  ),

);

Response

XMLHttpRequest cannot load http://foo.com/api/tracks/27d7de10ba-e353-455b-a3cb-ced9b4965141. The request was redirected to 'http://foo.com/session/invalid', which is disallowed for cross-origin requests that require preflight.

Authorization:Bearer

Hi,

I'm writing a EmberJS webapp. To communicate with the my API (Laravel 4 + laravel-auth-token + laravel-cors), I'm using the "ember-simple-auth" library (https://github.com/simplabs/ember-simple-auth).
The authentication is working well. But I'm struggling with the Authorization.

For each requests, "ember-simple-auth" send an "Authorization:Bearer XXXXXXXX(...)" as token. But laravel-cors is waiting for a "auth_token" right?

How can I do to make those 2 libraries working together?

Thank you

The Preflight OPTIONS headers are not appended when executing the link

Would like to apologize because I am still new to Laravel and Cors but I am using the v0.7 pull with laravel 5.0, i manage to install everything but I am facing a problem whereby my preflight OPTIONS are not returned with the necessary headers. Look at the image below:

The link is being called by AngularJS v1.3.15 with $resource

I manage to make a dirty override by adding those 3 lines in route.php but i do not want to maintain with such approach

header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Headers: ACCEPT, CONTENT-TYPE, X-CSRF-TOKEN");
header("Access-Control-Allow-Methods: GET, POST, OPTIONS, DELETE");

I wonder if someone could provide me with a guide on how to properly work this module. Thanks

I also have a topic in Stackoverflow which also records the updated I have done.

Problem at installation

I got following errors:

Please help me to fix those errors. Thank you very much.

Installation error

I am trying to install the package in L5 project , but I got those errors now

 composer require barryvdh/laravel-cors 0.5.x@dev
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Conclusion: don't install laravel/framework v5.0.27
    - Conclusion: don't install laravel/framework v5.0.26
    - Conclusion: don't install laravel/framework v5.0.25
    - Conclusion: don't install laravel/framework v5.0.24
    - Conclusion: don't install laravel/framework v5.0.23
    - Conclusion: don't install laravel/framework v5.0.22
    - Conclusion: don't install laravel/framework v5.0.21
    - Conclusion: don't install laravel/framework v5.0.20
    - Conclusion: don't install laravel/framework v5.0.19
    - Conclusion: don't install laravel/framework v5.0.18
    - Installation request for barryvdh/laravel-cors 0.5.x@dev -> satisfiable by barryvdh/laravel-cors[0.5.x-dev].
    - Conclusion: don't install laravel/framework v5.0.17
    - Conclusion: remove laravel/framework v5.0.16
    - barryvdh/laravel-cors 0.5.x-dev requires illuminate/support ~5.0.17 -> satisfiable by laravel/framework[v5.0.17, v5.0.18, v5.0.19, v5.0.20, v5.0.21, v5.0.22, v5.0.23, v5.0.24, v5.0.25, v5.0.26, v5.0.27], illuminate/support[v5.0.22, v5.0.25, v5.0.26].
    - don't install illuminate/support v5.0.22|don't install laravel/framework v5.0.16
    - don't install illuminate/support v5.0.25|don't install laravel/framework v5.0.16
    - don't install illuminate/support v5.0.26|don't install laravel/framework v5.0.16
    - Installation request for laravel/framework == 5.0.16.0 -> satisfiable by laravel/framework[v5.0.16].


Installation failed, reverting ./composer.json to its original content.

Global exception handling should not be part of this middleware

I've been banging my head against the wall trying to figure out why my exceptions are not getting caught by the proper middleware and are instead getting rendered. After a few hours, I narrowed it down to this library, and specifically the block starting here: https://github.com/barryvdh/laravel-cors/blob/master/src/HandleCors.php#L50

We are executing this middleware on a route group which means that it runs first before any other middleware. Specifically, we are running this on an Oauth2 authorization route (https://github.com/lucadegasperi/oauth2-server-laravel). This Oauth2 library has it's own middleware for catching it's own request errors and handling them gracefully. However, laravel-cors is catching all exceptions and handling them without giving a chance for any other middlewares to operate on the request.

I understand that this change resulted from this issue (#32) where the headers were not set properly when an exception happens. I think a better way to go about this is to create a custom error handler for laravel-cors which would take the place of App\Exceptions\Handler. Or, possibly add a method that could be added to the handle() method in an existing handler which dealt with adding the proper headers. I am of the opinion that it is not the responsibility of laravel-cors to catch errors and render them. All that should happen is laravel-cors takes care of any headers that need to be set for the request. Global exception handling should be out of scope.

Not allowing requests on nested resources?

I am struggling with this issue for days.

This is the config:

'defaults' => array(
        'supportsCredentials' => false,
        'allowedOrigins' => array('*'),
        'allowedHeaders' => array('*'),
        'allowedMethods' => array('*'),
        'exposedHeaders' => array(),
        'maxAge' => 3600,
        'hosts' => array('*'),
    ),
    'paths' => array()

As you can see I have allowed every single thing!

This way all GET and PUT requests work perfectly.

But when I POST to

http://localhost/eyelander/server/public/api/areas/2/coordinates

I get

XMLHttpRequest cannot load http://localhost/eyelander/server/public/api/areas/1/coordinates. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9000' is therefore not allowed access.

I have tried this configuration too, but still no luck...

'defaults' => array(
        'supportsCredentials' => false,
        'allowedOrigins' => array('*'),
        'allowedHeaders' => array('*'),
        'allowedMethods' => array('*'),
        'exposedHeaders' => array(),
        'maxAge' => 0,
        'hosts' => array('*'),
    ),

    'paths' => array(
        '*' => array(
            'allowedOrigins' => array('*'),
            'allowedHeaders' => array('*'),
            'allowedMethods' => array('*'),
            'maxAge' => 3600,
            'hosts' => array('*'),
        ),
    )

Maybe I'm doing something wrong, but I don't have a single clue about what is wrong with it.

It performs the OPTIONS request and stalls

Request headers

OPTIONS /eyelander/server/public/api/areas/1/coordinates HTTP/1.1
Host: localhost
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Access-Control-Request-Method: POST
Origin: http://localhost:9000
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
Access-Control-Request-Headers: accept, content-type
Accept: */*
DNT: 1
Referer: http://localhost:9000/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4

Response headers

HTTP/1.0 200 OK
Date: Tue, 02 Sep 2014 07:28:53 GMT
Server: Apache/2.4.9 (Win32) OpenSSL/1.0.1g PHP/5.5.11
X-Powered-By: PHP/5.5.11
Cache-Control: no-cache
Access-Control-Allow-Origin: http://localhost:9000
Access-Control-Max-Age: 3600
Access-Control-Allow-Methods: POST
Access-Control-Allow-Headers: ACCEPT, CONTENT-TYPE
Set-Cookie: laravel_session=eyJpdiI6ImhMV0RIXC9kUndLT01aVWNwSzl0dTh3PT0iLCJ2YWx1ZSI6IjB6eFRndUcwRUxVR0N2RXpQMU4xT1RRcmtxc0RFUkZsdjNmMDZcL3hXQk1MRnVncGc1S0NKTitaM2g2ZWZ4S2dLRW9tMDlucTZFdFpYaVpKXC9icWIxMFE9PSIsIm1hYyI6IjQ2Y2MzYTg4NzY3M2VkNjdkYTRlOTIwOWViOWRhM2JjY2FiMTdkN2M0NDUzMWE3Njc0NDBhZWYwMjkyZTliMTAifQ%3D%3D; expires=Tue, 02-Sep-2014 09:28:53 GMT; Max-Age=7200; path=/; httponly
Connection: close
Content-Type: text/html

POST or PUT gets same error

Hi,

I tried to use laravel-cors (2.0) with laravel 4.2 to update data, but I always get the same error:

XMLHttpRequest cannot load http://goc-rb:8010/api/clientes/historico/insert/1. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://goc-rf:8010' is therefore not allowed access. The response had HTTP status code 500.

GET request works fine! PUT or POST return error.

My file configuration is:

    'defaults' => array(
        'supportsCredentials' => true,
        'allowedOrigins' => array(),
        'allowedHeaders' => array(),
        'allowedMethods' => array(),
        'exposedHeaders' => array(),
        'maxAge' => 900,
        'hosts' => array(),
    ),

    'paths' => array(
        'api/*' => array(
            'allowedOrigins' => array('*'),
            'allowedHeaders' => array('*'),
            'allowedMethods' => array('POST', 'PUT', 'GET', 'DELETE'),
            'maxAge' => 900,
        ),
        '*' => array(
            'allowedOrigins' => array('*'),
            'allowedHeaders' => array('Content-Type', 'X-Auth-Token'),
            'allowedMethods' => array('POST', 'PUT', 'GET', 'DELETE'),
            'maxAge' => 900,
            'hosts' => array('*'),
        ),
    ),

can you help me?
Thanks advanced!

hhvm and laravel-cors - no cors headers beeing sent

Well, this is pretty weird to me. I replaced php5-fpm (5.6.9) with hhvm (3.8.1) today, suddenly CORS headers went missing on my API domain. I switched back to php5-fpm and CORS headers we're working again.

I have no explaination for this behaviour.

Anyone else experiencing the same issue?

5.1, middleware doesn't appear to be working?

Hello,

I've used this package previously in 4.2 and it worked perfectly.

I'm now trying to use it with 5.1, but the middleware doesn't appear to be doing anything? Is it something still being worked on?

need help for enable Laravel-cors

Hi,

I'm new in laravel. I want to use ajax to get data from local source (ip: 192.168.1.123). This is my config file:

array( 'supportsCredentials' => false, 'allowedOrigins' => array('*'), 'allowedHeaders' => array('*'), 'allowedMethods' => array('*'), 'exposedHeaders' => array(), 'maxAge' => 0, 'hosts' => array(), ), 'paths' => array( 'api/*' => array( 'allowedOrigins' => array('*'), 'allowedHeaders' => array('*'), 'allowedMethods' => array('*'), 'maxAge' => 3600, ), '*' => array( 'allowedOrigins' => array('*'), 'allowedHeaders' => array('Content-Type'), 'allowedMethods' => array('POST', 'PUT', 'GET', 'DELETE'), 'maxAge' => 3600, 'hosts' => array('api.*'), ), ), ``` ); When I use ajax, the error occur: "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://192.168.1.123/. This can be fixed by moving the resource to the same domain or enabling CORS." Please advise if the config file is correct or not. Thanks

Lumen support?

Are you going to be supporting lumen?

I released a package CORS for Lumen. https://github.com/dragonfire1119/cors-lumen Hope it helps people.

TokenMismatchException in VerifyCsrfToken.php line 53

I feel as though I run into this EVERYTIME.

I've set up laravel-cors per the instructions. When issuing a POST command I'm getting the following error from the server:

TokenMismatchException in VerifyCsrfToken.php line 53

Stack:

in VerifyCsrfToken.php line 53
at VerifyCsrfToken->handle(object(Request), object(Closure))
at call_user_func_array(array(object(VerifyCsrfToken), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline\{closure}(object(Request)) in ShareErrorsFromSession.php line 54
at ShareErrorsFromSession->handle(object(Request), object(Closure))
at call_user_func_array(array(object(ShareErrorsFromSession), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline\{closure}(object(Request)) in StartSession.php line 62
at StartSession->handle(object(Request), object(Closure))
at call_user_func_array(array(object(StartSession), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline\{closure}(object(Request)) in AddQueuedCookiesToResponse.php line 37
at AddQueuedCookiesToResponse->handle(object(Request), object(Closure))
at call_user_func_array(array(object(AddQueuedCookiesToResponse), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline\{closure}(object(Request)) in EncryptCookies.php line 59
at EncryptCookies->handle(object(Request), object(Closure))
at call_user_func_array(array(object(EncryptCookies), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline\{closure}(object(Request)) in CheckForMaintenanceMode.php line 42
at CheckForMaintenanceMode->handle(object(Request), object(Closure))
at call_user_func_array(array(object(CheckForMaintenanceMode), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 124
at Pipeline->Illuminate\Pipeline\{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 103
at Pipeline->then(object(Closure)) in Kernel.php line 122
at Kernel->sendRequestThroughRouter(object(Request)) in Kernel.php line 87
at Kernel->handle(object(Request)) in index.php line 53

My routes.php:

Route::group(['prefix'=> 'api/v1', 'after' => 'allowOrigin', 'middleware'=>'cors'], function() {
    Route::resource('programs', 'ProgramController');
    Route::resource('programEvents', 'ProgramEventController');
    Route::resource('recruitingEvents', 'RecruitingEventController');
    Route::resource('subscriptions', 'SubscriptionController');
});

My config/cors.php file:

return [
    /*
     |--------------------------------------------------------------------------
     | Laravel CORS
     |--------------------------------------------------------------------------
     |

     | allowedOrigins, allowedHeaders and allowedMethods can be set to array('*') 
     | to accept any value, the allowed methods however have to be explicitly listed.
     |
     */
    'supportsCredentials' => false,
    'allowedOrigins' => ['*'],
    'allowedHeaders' => ['*'],
    'allowedMethods' => ['GET', 'POST', 'PUT',  'DELETE'],
    'exposedHeaders' => [],
    'maxAge' => 0,
    'hosts' => [],
];

My request's headers:

POST /api/v1/subscriptions HTTP/1.1
Host: recruiter-sync-server-api
Connection: keep-alive
Content-Length: 72
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost:4200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://localhost:4200/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8

What am I missing?

No Headers set on response to a POST request

I'm trying to do auth with Laravel, Backbone and cross-domain. With your laravel-cors, I can get the correct headers sent along with the pre-flight OPTIONS request, but once the POST is sent with user details to login, none of the headers specified below are ever sent along, so the browsers fails with No 'Access-Control-Allow-Origin' header is present on the requested resource.

I have set up as follows

return array(
    'defaults' => array(
        'allow_credentials' => true,
        'allow_origin' => array('*'),
        'allow_headers' => array('*'),
        'allow_methods' => array('POST', 'PUT', 'GET', 'DELETE', 'OPTIONS'),
        'expose_headers' => array('*'),
        'max_age' => 0,
    ),

    'paths' => array(
        '^/' => array(
            'allow_origin' => array('*'),
            'allow_headers' => array('*'),
            'allow_methods' => array('POST', 'PUT', 'GET', 'DELETE', 'OPTIONS'),
            'max_age' => 3600,
        ),
    ),
);

My SessionController responds as follows to the POST

public function postIndex()
  {
    $email = Input::get('email');
    $password = Input::get('password');

    if( Auth::attempt(array('email' => $email, 'password' => $password), true ) )
    {
      return Response::json(array('success' => true), 200);
    }
    return Response::json(array('success' => false), 403);
  }

Do you have any idea with there would be no headers sent?

Using custom response format

Is it possible to catch the responses from the middleware (403, 500) and transform the response to a json response ?

I am actually using this module for an API and when the CORS are wrong, I simply get a plain text message instead of the expected json

i have installed cors but still getting same error

hi i hve installed cors but still getting same error:

http://www.scrumy.co.uk/

you will see the error

XMLHttpRequest cannot load http://scrumy.co.uk/projects/addtask. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://www.scrumy.co.uk' is therefore not allowed access. The response had HTTP status code 403.

allow a list of domains to use the api

Hi,

I want to allow a list of trusted domains to use the api. My first thought was to use the 'hosts' config to list the domains in an array. This didn't work. I also tried putting it in the 'allowedOrigins' array , same result.

'paths' => array(
        'v1/*' => array(
            'allowedOrigins' => array('*'),
            'allowedHeaders' => array('authorization','x-requested-with','apiKey','Content-Type'),
            'allowedMethods' => array('POST', 'PUT', 'GET', 'DELETE'),
            'maxAge' => 3600,
            'hosts' => array('abc.com','mytrustedweb.org'),
        ),

    ),

Is this possible with the new config file?

Unable to install laravel-cors

I tried installing cors using the readme given on https://github.com/barryvdh/laravel-cors/tree/0.2 but it did not work with laravel 4.2.

After which I tried it with both "barryvdh/laravel-cors": "0.7.x" and "barryvdh/laravel-cors": "0.7" but got the same result.

Everytime I get the following error:

I went through the issues section where people have tried "composer self-update" to solve their problem but even that did not help in my case.

What did I miss ?

Access-Control-Allow-Methods should be set per resource

From what I understand, Access-Control-Allow-Methods should be set specific to a resource. I noticed that if I did an OPTIONS request (without the Origin header), Laravel correctly outputs all the allowed methods for a resource using the Allow header.

< HTTP/1.1 200 OK
< Date: Fri, 20 Jun 2014 17:21:28 GMT
* Server Apache/2.2.15 (CentOS) is not blacklisted
< Server: Apache/2.2.15 (CentOS)
< X-Powered-By: PHP/5.5.11
< Allow: GET,HEAD,POST
< Cache-Control: no-cache
< X-Frame-Options: SAMEORIGIN
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8

But when I use the laravel-cors package (supplying Origin in the header), it outputs whatever is set in the config for all resources (even if my resource doesn't support that verb).

< HTTP/1.0 200 OK
< Date: Fri, 20 Jun 2014 17:25:54 GMT
< Server: Apache/2.2.15 (CentOS)
< X-Powered-By: PHP/5.5.11
< Cache-Control: no-cache
< Access-Control-Allow-Origin: localhost
< Access-Control-Max-Age: 3600
< Access-Control-Allow-Methods: POST, PUT, GET
< Access-Control-Allow-Headers: content-type, authorization, x-requested-with
< X-Frame-Options: SAMEORIGIN
< Connection: close
< Content-Type: text/html; charset=UTF-8
<

Isn't the point of the Access-Control-Allow-Methods to output the specific allowed methods for the resource?

If Laravel already has this information, can't we get it from the response object and insert the info in the Access-Control-Allow-Methods header?

Conflict with dingo/api

I don't know if this is a bug on dingo/api or laravel-cors side, or if it's just that I messed up with the implementation, but I built up an api using https://github.com/dingo/api and wanted to use this package to handle the CORS. For some reason, I couldn't ever get the OPTIONS requests to return the correct information when going through the dingo/api. For example, my routes file looked somewhat like the following:

$api = app( 'Dingo\Api\Routing\Router' );
$api->version( 'v1',['middleware'=>'cors', function ( $api ) {
    $pong = function () {
        return "pong";
    };
    $api->get( '/ping', $pong );
    $api->put( '/ping', $pong );
    $api->post( '/ping', $pong );
    $api->delete( '/ping', $pong );
}
Route::match(['get','put','update','delete','post'], '/test', ['middleware'=>'cors', 'uses' => function () {
    return "Test";
}] );

When running cors requests through the standard laravel route, I didn't have any problems. However, when running through the dingo api router (/ping), the OPTIONS preflight wouldn't return the correct information. I then tried adding \Barryvdh\Cors\HandleCors::class to the $middleware array in the kernel, and still no luck. I finally got it working by adding both HandleCors and \Barryvdh\Cors\HandlePreflight::class to the $middleware array, even though it looks like the boot process should be dynamically adding that anyway.

So, to sum things up, the fix for me is to make the middleware look like the following:

    protected $middleware = [
        \\ ... All the normal middleware stuff ... \\
        \Barryvdh\Cors\HandleCors::class,
        \Barryvdh\Cors\HandlePreflight::class
    ];

Also, the required composer items are as follows:

    "require": {
        "php": ">=5.5.9",
        "laravel/framework": "5.1.*",
        "dingo/api": "~0.10",
        "tymon/jwt-auth": "~0.5",
        "doctrine/dbal": "~2.3",
        "watson/validating": "~1.0",
        "guzzlehttp/guzzle": "~5.0",
        "guzzlehttp/oauth-subscriber": "0.2.*",
        "barryvdh/laravel-cors": "0.7.x"
    },
    "require-dev": {
        "fzaninotto/faker": "~1.4",
        "mockery/mockery": "0.9.*",
        "phpunit/phpunit": "~4.0",
        "phpspec/phpspec": "~2.1",
        "barryvdh/laravel-ide-helper": "^2.0"
    },

Did exactly as described in the readme but is not working..

I tried different ways before stumbling upon this package. Did exactly as described in the readme file but the error still exists.

FIrst, wanted to debug it myself and so added the Allow headers on htaccess file, then added headers in the routes.php file. After doing this, I ran a curl command just to check if the headers are there and here is the output:

HTTP/1.1 302 Found
Server: cloudflare-nginx
Date: Sun, 19 Apr 2015 13:49:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d1c27a79007c4dfc538ea9966de7702331429451369; expires=Mon, 18-Apr-16 13:49:29 GMT; path=/; domain=.[masked].com; HttpOnly
X-Powered-By: PHP/5.5.9-1ubuntu4.7
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, PUT, POST, DELETE
Access-Control-Allow-Headers: Origin, Accept, Set-Cookie, Location, CF-Ray, Connection, Transfer-Encoding, Cache-Control, X-XSRF-Token, Content-type, X-Powered-By
Cache-Control: no-cache
Set-Cookie: XSRF-TOKEN=eyJpdiI6ImVkSmRqNFBPQ2ZcLzBjMDJkeHJqeVVBPT0iLCJ2YWx1ZSI6IjJvc1VxN2FTR0xTbHB1NUJ1cnlERmp3eUFybEFHbjIzdlkzVk1nZldjTjliNFhxV2NXTk0za3BUUndBdmRrWStEVStoTnJCOW11MWRWTzcxZ25HdHh3PT0iLCJtYWMiOiIyYzBjNjM5ZjFjNjI1NjY3NDljYWFlZjNkOTExZTRmYjNlZGMyY2Q2Y2Q2MGU0MDQ2MzNiODk5MjdjZGRhMjkzIn0%3D; expires=Sun, 19-Apr-2015 15:49:29 GMT; Max-Age=7200; path=/
Set-Cookie: laravel_session=eyJpdiI6IjE5a29zdUNESk1PbjMrbE5cL1NYTmx3PT0iLCJ2YWx1ZSI6ImlBZHp6cFZxUjAyeUhNeWp2cWNmVlBQSk9PWkNhRU41XC9rYzJhXC8yTEdTQ0xCcXZRbUZFM0lJSWhWNTVRa1c4OGRTMWZ2N3haZmNHRldcL2VqR09xOE5RPT0iLCJtYWMiOiI5MDhhYzgzMzdhN2QxNWFi:

Clearly, the access headers are present but the no allow origin error still appears.

Then did a fresh install of laravel just to be sure. It's still there.

I know a lot of you have got it working. Hence asking for help.

Any help is much appreciated! Thanks :)

Intermittent results behavior

I installed 0.4 branch with Laravel 5 and defined these rules (just to be sure that every request must be allowed):

return array(

    'defaults' => array(
        'supportsCredentials' => true,
        'allowedOrigins' => array('*'),
        'allowedHeaders' => array('*'),
        'allowedMethods' => array('POST', 'PUT', 'GET', 'DELETE'),
        'maxAge' => 3600,
    ),

    'paths' => array(
        'api/*' => array(
            'supportsCredentials' => true,
            'allowedOrigins' => array('*'),
            'allowedHeaders' => array('*'),
            'allowedMethods' => array('POST', 'PUT', 'GET', 'DELETE'),
            'maxAge' => 3600,
        ),
        '*' => array(
            'supportsCredentials' => true,
            'allowedOrigins' => array('*'),
            'allowedHeaders' => array('*'),
            'allowedMethods' => array('POST', 'PUT', 'GET', 'DELETE'),
            'maxAge' => 3600,
        ),
    ),

);

But when I make ajax requests, ramdomly some requests succeed and ramdomly some not, returning Cross-Origin Request Blocked.

Softwares and versions:
Laravel 5.0.16
Laravel Cors with last commit from 25 days ago
Composer version 1.0-dev (ab3622dff1db71024f327387408250208c139a0d) 2015-03-23 11:56:30
PHP 5.5.9
Apache 2.4.7

php56, Laravel 5.1: OPTIONS goes through POST doesn't

I am using this package very successfully in Laravel 5.

Today I wanted to upgrade to Laravel 5.1 which deprecates the usage of filters.

Therefore, I upgraded to laravel-cors 0.6.x, added the Middleware and suddenly the respective headers aren't added anymore.

My options request gets the appropriate headers and includes the information set in my config.
I tried debugging it and the fun part is, that the Middleware is not even reached when I send a post request. Looking at the error log I can find this:

[:error] [pid 26862] [client 127.0.0.1:54487] PHP Deprecated:  Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php://input stream instead. in Unknown on line 0, referer: http://127.0.0.1:8000/admin/
[:error] [pid 26862] [client 127.0.0.1:54487] PHP Warning:  Cannot modify header information - headers already sent in Unknown on line 0, referer: http://127.0.0.1:8000/admin/

Any ideas?

No 'Access-Control-Allow-Origin' header is present on the requested resource

after updating laravel-cors to 0.2 , I have started getting
No 'Access-Control-Allow-Origin' header is present on the requested resource in chrome.

[L5] What is correct syntax to load custom config?

Hi @barryvdh ,

I successfully installed package et load provider and middleware.

To load custom configuration, i added this in ConfigServiceProvider:

public function register()
{
       config([
            'laravel-cors.defaults' => [
                'supportsCredentials' => false,
                'allowedOrigins'      => [],
                'allowedHeaders'      => [],
                'allowedMethods'      => [],
                'exposedHeaders'      => [],
                'maxAge'              => 0,
                'hosts'               => [],
            ],
            'laravel-cors.paths'    => [
                '*' => [
                    'allowedOrigins' => ['*'],
                    'allowedHeaders' => ['Content-Type'],
                    'allowedMethods' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
                    'maxAge'         => 3600,
                    'hosts'          => ['api.*'],
                ],
            ]
        ]);
}

Is this syntax is correct ?

Because when i return laravel-cors config, i show default configuration :

// Return Laravel-cors configuration
Config::get('laravel-cors');

Output:

{
    "defaults": {
        "supportsCredentials": false,
        "allowedOrigins": [],
        "allowedHeaders": [],
        "allowedMethods": [],
        "exposedHeaders": [],
        "maxAge": 0,
        "hosts": []
    },
    "paths": {
        "api/*": {
            "allowedOrigins": [
                "*"
            ],
            "allowedHeaders": [
                "*"
            ],
            "allowedMethods": [
                "*"
            ],
            "maxAge": 3600
        },
        "*": {
            "allowedOrigins": [
                "*"
            ],
            "allowedHeaders": [
                "Content-Type"
            ],
            "allowedMethods": [
                "POST",
                "PUT",
                "GET",
                "DELETE"
            ],
            "maxAge": 3600,
            "hosts": [
                "api.*"
            ]
        }
    }
}

Thanks

Add Support for Validator

Currently there's no CORS when the Validator throws an error. This is annoying if you want to check which fields are missing

Can't install for Laravel 5.1

I realise 5.1 isn't actually released yet. But it's so close I am developing a new project with it. I'm just wondering if laravel-cors requirement for illuminate/support needs to be so specific ~5.0.17 as composer won't install it with laravel 5.1. tymon/jwt-auth for example requires ~5.0.x which composer seems happier with.

twitter Oauth2.0 error

I got an error when i use twitter Oauth

Error in exception handler: Class laravel-cors.send does not exist in /var/www/html/dev-api2/vendor/laravel/framework/src/Illuminate/Container/Container.php:501

here is my setting

    'defaults' => array(
        'allow_credentials' => false,
        'allow_origin'      => array('*'),
        'allow_headers'     => array('*'),
        'allow_methods'     => array('*'),
        'expose_headers'    => array('*'),
        'max_age'           => 0
    ),

    'paths'    => array(
        '^/' => array(
            'allow_origin'  => array('*'),
            'allow_headers' => array('*'),
            'allow_methods' => array(
                'POST',
                'PUT',
                'GET',
                'DELETE',
                'OPTIONS'
            ),
            'max_age'       => 3600
        )
    ),

Does not work correctly with custom response

Just been trying this out with my API project and it doesn't seem work if you use requests such as:

App::error(function(Exception $e) {
  // ...

  return Response::json();
});

It only seems to work from within the standard request-response flow.

don't install illuminate/support v5.0.0|don't install laravel/framework v5.1.10

$ composer require barryvdh/laravel-cors 0.4.x@dev

./composer.json has been updated
> php artisan clear-compiled
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Installation request for barryvdh/laravel-cors 0.4.x@dev -> satisfiable by barryvdh/laravel-cors[v0.4.0].
    - Conclusion: remove laravel/framework v5.1.10
    - Conclusion: don't install laravel/framework v5.1.10
    - barryvdh/laravel-cors v0.4.0 requires illuminate/support 5.0.x -> satisfiable by illuminate/support[v5.0.0, v5.0.22, v5.0.25, v5.0.26, v5.0.28, v5.0.33, v5.0.4].
    - don't install illuminate/support v5.0.0|don't install laravel/framework v5.1.10
    - don't install illuminate/support v5.0.22|don't install laravel/framework v5.1.10
    - don't install illuminate/support v5.0.25|don't install laravel/framework v5.1.10
    - don't install illuminate/support v5.0.26|don't install laravel/framework v5.1.10
    - don't install illuminate/support v5.0.28|don't install laravel/framework v5.1.10
    - don't install illuminate/support v5.0.33|don't install laravel/framework v5.1.10
    - don't install illuminate/support v5.0.4|don't install laravel/framework v5.1.10
    - Installation request for laravel/framework == 5.1.10.0 -> satisfiable by laravel/framework[v5.1.10].


Installation failed, reverting ./composer.json to its original content.

simply does not work

I followed the installation procedure. I am getting the same error.

Please advise.

Fresh response object for preflight requests.

Hi barryvdh,

Thanks for the package, I have however noticed a problem.

In the preflight middleware the response object is obtained via the $next closure.

The problem with this is that if we use status codes in our api such as "400 Bad request" our preflight will also fail.

This means that we cannot display a useful message to the user.

I was able to fix this in the middleware by simply returning the the cors service's handlePreflightRequest response object.

public function handle($request, Closure $next)
{
    if ($this->cors->isPreflightRequest($request))
    {
        $response = $this->cors->handlePreflightRequest($request);
    }
    else
    {
        $response = $next($request);
    }

    return $response;

    //$response = $next($request);
    //
    //if ($this->cors->isPreflightRequest($request)) {
    //  $preflight = $this->cors->handlePreflightRequest($request);
    //  $response->headers->add($preflight->headers->all());
    //}
    //
    //return $response;
}

What do you think?

Thanks

Gareth :)

Laravel 5 Package not working

Im trying to make a post call from an angularjs app to my laravel 5 service. Installed your package and did what its on the read me.

But i cant get the package to work. Only if i comment the VerifyCsrfToken on Kernel.php it works

in my routes.php

Route::group(['prefix'=>'api', 'middleware' => 'cors'], function(){
    Route::post('login/auth', [function(){
        return 'some text';
    }]);
});

my VerifyCsrfToken.php

class VerifyCsrfToken extends BaseVerifier {
    protected $except = [
        'api/*'
    ];
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        return parent::handle($request, $next);
    }
}

my cors.php

<?php

return [
    /*
     |--------------------------------------------------------------------------
     | Laravel CORS
     |--------------------------------------------------------------------------
     |

     | allowedOrigins, allowedHeaders and allowedMethods can be set to array('*') 
     | to accept any value, the allowed methods however have to be explicitly listed.
     |
     */
    'supportsCredentials' => false,
    'allowedOrigins' => ['*'],
    'allowedHeaders' => ['*'],
    'allowedMethods' => ['GET', 'POST', 'PUT',  'DELETE'],
    'exposedHeaders' => [],
    'maxAge' => 0,
    'hosts' => [],
];

CORS with PhoneGap App - Session is new on every request

Hi,

thanks for this extension!

I have installed laravel-cors with settings:

    'defaults' => array(
        'supportsCredentials' => true,
        'allowedOrigins' => array(),
        'allowedHeaders' => array(),
        'allowedMethods' => array(),
        'exposedHeaders' => array(),
        'maxAge' => 0,
        'hosts' => array(),
    ),

    'paths' => array(
        'api/*' => array(
            'allowedOrigins' => array('*'),
            'allowedHeaders' => array('*'),
            'allowedMethods' => array('POST', 'PUT', 'GET', 'DELETE'),
            'maxAge' => 3600,
        ),
        '*' => array(
            'allowedOrigins' => array('*'),
            'allowedHeaders' => array('*'),
            'allowedMethods' => array('POST', 'PUT', 'GET', 'DELETE'),
            'maxAge' => 3600,
            'hosts' => array('api.*'),
        ),
    ),

Then I create a route filter:

Route::filter('authJson', function()
{
    $user = User::getUserByAuthHeader();

    if(!is_null($user))
    {
        Auth::login($user);
    }
    else
    {
        $sessionError = [
            "error" => [
                "code" => 401,
                "message" => "Token is wrong ",
            ]
        ];

        return Response::json($sessionError, 401);
    }
});

All route-pages return his response with:

return Response::json($rs);

My jQuery Code:

            $.ajaxSetup({
                xhrFields: {
                    withCredentials: true
                },
            });

If the user is successful logged in, I at the header:

        $.ajaxSetup({
            headers: {
                "X-Authentication-Token": accessToken
            },
        });

This works fine. The User is logged in and can view all member pages.

HTTP/1.1 200 OK
Date    Fri, 06 Jun 2014 11:17:43 GMT
Server  Apache/2.2.26 (Unix) DAV/2 PHP/5.5.10 mod_ssl/2.2.26 OpenSSL/0.9.8y
X-Powered-By    PHP/5.5.10
Cache-Control   no-cache
Access-Control-Allow-Origin *
Vary    Origin
Access-Control-Allow-Credentials    true
Set-Cookie  sid=**** session id *****; expires=Fri, 06-Jun-2014 13:17:43 GMT; Max-Age=7200; path=/; httponly
Set-Cookie  remember_**** session id *****; expires=Wed, 05-Jun-2019 11:17:43 GMT; Max-Age=157680000; path=/; httponly
Transfer-Encoding   chunked
Content-Type    application/json

Next request to get one user. First is OPTION Request:

OPTIONS /api/users/1 HTTP/1.1
Host    mydomain
Cache-Control   no-cache
Access-Control-Request-Method   GET
Pragma  no-cache
Origin  http://0.0.0.0:8001
User-Agent  Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Access-Control-Request-Headers  accept, access-control-allow-credentials, x-requested-with, x-authentication-token
Accept  */*
Referer http://0.0.0.0:8001/
Accept-Encoding gzip,deflate,sdch
Accept-Language de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4

Options Response:

HTTP/1.0 200 OK
Date    Fri, 06 Jun 2014 11:07:41 GMT
Server  Apache/2.2.26 (Unix) DAV/2 PHP/5.5.10 mod_ssl/2.2.26 OpenSSL/0.9.8y
X-Powered-By    PHP/5.5.10
Cache-Control   no-cache
Access-Control-Allow-Credentials    true
Access-Control-Allow-Origin http://0.0.0.0:8001
Access-Control-Max-Age  3600
Access-Control-Allow-Methods    POST, PUT, GET, DELETE
Access-Control-Allow-Headers    ACCEPT, ACCESS-CONTROL-ALLOW-CREDENTIALS, X-REQUESTED-WITH, X-AUTHENTICATION-TOKEN
Set-Cookie  sid=**** different session id *****; expires=Fri, 06-Jun-2014 13:07:41 GMT; Max-Age=7200; path=/; httponly
Connection  close
Content-Type    text/html

user GET Request:

GET /api/users/1 HTTP/1.1
Host    mydomain
Cache-Control   no-cache
Pragma  no-cache
Origin  http://0.0.0.0:8001
X-Requested-With    XMLHttpRequest
Accept  application/json, text/javascript, */*; q=0.01
Access-Control-Allow-Credentials    true
X-Authentication-Token  *** the auth token ***
User-Agent  Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
Referer http://0.0.0.0:8001/
Accept-Encoding gzip,deflate,sdch
Accept-Language de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4

user GET Response:

HTTP/1.1 200 OK
Date    Fri, 06 Jun 2014 11:07:42 GMT
Server  Apache/2.2.26 (Unix) DAV/2 PHP/5.5.10 mod_ssl/2.2.26 OpenSSL/0.9.8y
X-Powered-By    PHP/5.5.10
Cache-Control   no-cache
Access-Control-Allow-Origin http://0.0.0.0:8001
Vary    Origin
Access-Control-Allow-Credentials    true
Set-Cookie  sid=**** another different session id *****; expires=Fri, 06-Jun-2014 13:07:42 GMT; Max-Age=7200; path=/; httponly
Transfer-Encoding   chunked
Content-Type    application/json

Whats didnt work is the Laravel Session. On every request I get a new Session ID.

My session config:

'driver' => 'file',
'lifetime' => 120,
'expire_on_close' => false,
'cookie' => 'sid',
'domain' => null,

Used:
Laravel 4.2
jQuery 2.1.1

I didnt know how to get the laravel session properly to work. Do I anything wrong?

Best regards,
Sebastian

can you please tell me the composer syntax

for using the laravel 5 version?

some routes won't be enabled

Sorry disturbing again, I have a problem and can't figure out what the problem should be

I have the following config

return array(

/*
 |--------------------------------------------------------------------------
 | Laravel CORS Defaults
 |--------------------------------------------------------------------------
 |
 | The defaults are the default values applied to all the paths that match,
 | unless overridden in a specific URL configuration.
 | If you want them to apply to everything, you must define a path with ^/.
 |
 | allow_origin and allow_headers can be set to * to accept any value,
 | the allowed methods however have to be explicitly listed.
 |
 */
'defaults' => array(
'supportsCredentials' => false,
'allowedOrigins' => array('*'),
'allowedHeaders' => array('*'),
'allowedMethods' => array('POST', 'PUT', 'GET', 'DELETE'),
'maxAge' => 3600,
'exposedHeaders' => array(),
'hosts' => array(),

'paths' => array(
'^/api/products/' => array(
'allowedOrigins' => array(''),
'allowedHeaders' => array('*'),
'allowedMethods' => array('POST', 'PUT', 'GET', 'DELETE'),
'maxAge' => 3600,
),
),

);

following router

// =============================================
// API ROUTES ==================================
// =============================================
Route::group(array('prefix' => 'api', 'before' => 'auth.token'), function() {

Route::get('products/{id}', 'ProductController@show', array('only' => array('index', 'store', 'destroy', 'update', 'show', 'edit')));
Route::resource('products', 'ProductController', array('only' => array('index', 'store', 'destroy', 'update', 'show', 'edit')));

});

than on api/products I can access the restapi but if I call api/products/prodID

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at /api/products/1CE8-05J

Tag for version 0.7.x missing

There doesn't seem to be a tag for version 0.7.0. I tried using the install instructions but couldn't get the 0.7.0 version to install unless I used dev-master in my composer.json

Class 'Barryvdh\Cors\CorsServiceProvider' not found when running 'composer install/update' on 0.2.x

I am deploying a laravel 4.x application to a production machine. I am using the 0.2.x branch.

When running

composer install

composer update

I get the following error:

[root@webapps prod]# composer update
> php artisan clear-compiled
PHP Fatal error:  Class 'Barryvdh\Cors\CorsServiceProvider' not found in /var/www/html/apps/request-tracker/prod/vendor/laravel/framework/src/Illuminate/Foundation/ProviderRepository.php on line 157

{"error":{"type":"Symfony\\Component\\Debug\\Exception\\FatalErrorException","message":"Class 'Barryvdh\\Cors\\CorsServiceProvider' not found","file":"\/var\/www\/html\/apps\/request-tracker\/prod\/vendor\/laravel\/framework\/src\/Illuminate\/Foundation\/ProviderRepository.php","line":157}}

Script php artisan clear-compiled handling the pre-update-cmd event returned with an error

  [RuntimeException]
  Error Output: PHP Fatal error:  Class 'Barryvdh\Cors\CorsServiceProvider' not found in /var/www/html/apps/request-tracker/prod/vendor/laravel/framework/src/Illuminate/Foundat
  ion/ProviderRepository.php on line 157

How do I solve for this?

Here is my composer file:

{
    "name": "laravel/laravel",
    "description": "The Laravel Framework.",
    "keywords": ["framework", "laravel"],
    "require": {
        "laravel/framework": "4.2.*",
        "loic-sharma/profiler":"1.1.*",
        "rhumsaa/array_column": "~1.1",
        "sidney/latchet": "dev-master",
        "brainboxlabs/brain-socket": "v1.0.0",
        "barryvdh/laravel-cors": "0.2.x",
        "maatwebsite/excel": "~1.3.0"
    },
    "repositories":[
        {
            "type": "vcs",
            "url": "https://github.com/sidneywidmer/latchet"
        }
    ],
    "autoload": {
        "classmap": [
            "app/commands",
            "app/controllers",
            "app/models",
            "app/database/migrations",
            "app/database/seeds",
            "app/tests/TestCase.php"
        ]
    },
    "scripts": {
        "post-install-cmd": [
            "php artisan optimize"
        ],
        "pre-update-cmd": [
            "php artisan clear-compiled"
        ],
        "post-update-cmd": [
            "php artisan optimize"
        ],
        "post-create-project-cmd": [
            "php artisan key:generate"
        ]
    },
    "config": {
        "preferred-install": "dist"
    },
    "minimum-stability": "dev"
}

And here is my app/config/app.php file:

<?php

return array(
    'debug' => true,

    'url' => 'http://localhost',

    'timezone' => 'UTC',

    'locale' => 'en',

    'key' => 'YourSecretKey!!!',


    'cipher'    =>  MCRYPT_RIJNDAEL_256,

    'providers' => array(

        **** truncated ****

        'Barryvdh\Cors\CorsServiceProvider',
        'BrainSocket\BrainSocketServiceProvider',
        'Maatwebsite\Excel\ExcelServiceProvider',

    ),

    'manifest' => storage_path().'/meta',


    'aliases' => array(
        **** truncated ****
    ),

    'profiler' => true,

);

The 'Access-Control-Allow-Origin' header contains multiple values

I'm using AngularJS App on the client side to access Laravel API hosted on IIS 8.5.It works fine when client is hosted on same domain.But when hosted on different domain it gives following error.

XMLHttpRequest cannot load http://example.com/api. The 'Access-Control-Allow-Origin' header contains multiple values 'http://localhost, *', but only one is allowed. Origin 'http://localhost' is therefore not

Web.config:

<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Imported Rule 1" stopProcessing="true">
                    <match url="^(.*)/$" ignoreCase="false" />
                    <conditions logicalGrouping="MatchAll">
                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
                    </conditions>
                    <action type="Redirect" url="/{R:1}" redirectType="Permanent" />
                </rule>
                <rule name="Imported Rule 2" stopProcessing="true">
                    <match url="^" ignoreCase="false" />
                    <conditions logicalGrouping="MatchAll">
                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
                        <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
                    </conditions>
                    <action type="Rewrite" url="index.php" />
                </rule>
            </rules>
        </rewrite>
        <httpProtocol>
            <customHeaders>
                <add name="Access-Control-Allow-Origin" value="*" />
                <add name="Access-Control-Allow-Headers" value="Origin, Content-Type, Authorization, Accept, X-Request-With" />
                <add name="Access-Control-Allow-Methods" value="GET, POST, PUT,  DELETE, OPTIONS" />
                <add name="Access-Control-Allow-Credentials" value="true" />
            </customHeaders>
        </httpProtocol>
    </system.webServer>
</configuration>

Actual Response header:

Request Method:POST
Status Code:200 OK
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Origin, Content-Type, Authorization, Accept, X-Request-With
Access-Control-Allow-Methods:GET, POST, PUT,  DELETE, OPTIONS
Access-Control-Allow-Origin:http://localhost
Access-Control-Allow-Origin:*

Why 'Access-Control-Allow-Origin' echoed twice.
What is the right way to host API on IIS? Do I have to include headers in web.config file.

documentation confusion: allowedMethods can be set to array('*')

In the cors.php config file:

allowedOrigins, allowedHeaders and allowedMethods can be set to array('*')
to accept any value, the allowed methods however have to be explicitly listed.

The latter statement seems to contradict allowedMethods can be set to array('*')

So should I set the allowedMethods to

[
  // ......
  'allowedMethods'      => ['*'],
  // ......
]

[
  // ......
  'allowedMethods'      => ['DELETE', 'GET', 'OPTION', 'PATCH', 'POST', 'PUT'],
  // ......
]

preflight request 405 method not allowed

I have setup laravel-cors bundle with the basic config as show below.
'defaults' => array(
'allow_credentials' => false,
'allow_origin'=> array('*'),
'allow_headers'=> array('authorization,x-requested-with'),
'allow_methods'=> array('POST', 'PUT', 'GET', 'DELETE','OPTIONS'),
'expose_headers'=> array(),
'max_age' => 10
),

'paths' => array(
'^/api/' => array(
'allow_origin'=> array(''),
'allow_headers'=> array('Content-Type'),
'allow_methods'=> array('POST', 'PUT', 'GET', 'DELETE'),
'max_age' => 3600
),
'^/v1/' => array(
'allow_origin'=> array(''),
'allow_headers'=> array('authorization,x-requested-with'),
'allow_methods'=> array('POST', 'PUT', 'GET', 'DELETE','OPTIONS'),
'max_age' => 10
)
),

I get the correct headers back but with a HTTP 405 error. what am i missing?

how to specify subdomain in config?

The 'Access-Control-Allow-Origin' header contains multiple values, but only one is allowed.

I'm running into this issue while requesting api in my ionic application.

Removing two lines in stack-cors package:
$response->headers->set('Access-Control-Allow-Origin', $request->headers->get('Origin'));
solves my problem, but there has to be a better solution.

I'm using default config/cors.php file