private function setAnswerCORS(SS_HTTPResponse $answer)
{
$cors = Config::inst()->get('RESTfulAPI', 'cors');
// skip if CORS is not enabled
if (!$cors['Enabled']) {
return $answer;
}
//check if Origin is allowed
$allowedOrigin = $cors['Allow-Origin'];
$requestOrigin = $this->request->getHeader('Origin');
if ($requestOrigin) {
if ($cors['Allow-Origin'] === '*') {
$allowedOrigin = $requestOrigin;
} elseif (is_array($cors['Allow-Origin'])) {
if (in_array($requestOrigin, $cors['Allow-Origin'])) {
$allowedOrigin = $requestOrigin;
}
}
}
$answer->addHeader('Access-Control-Allow-Origin', $allowedOrigin);
//allowed headers
$allowedHeaders = '';
$requestHeaders = $this->request->getHeader('Access-Control-Request-Headers');
if ($cors['Allow-Headers'] === '*') {
$allowedHeaders = $requestHeaders;
} else {
$allowedHeaders = $cors['Allow-Headers'];
}
$answer->addHeader('Access-Control-Allow-Headers', $allowedHeaders);
//allowed method
$answer->addHeader('Access-Control-Allow-Methods', $cors['Allow-Methods']);
//max age
$answer->addHeader('Access-Control-Max-Age', $cors['Max-Age']);
return $answer;
}