Skip to content
docsv0.1.0

CorsPolicyInterface

Decides whether a cross-origin HTTP request to the live endpoint is allowed, and which CORS response headers to send back. Consulted by the HTTP transport layer before any component interaction is dispatched — this is a transport-level gate, independent of {@see InteractionAuthorizerInterface}'s per-action authorization.

CorsPolicyInterface::check()

abstract public function check(?string $origin, string $method, array $requestHeaders = []): Milpa\Live\ValueObjects\CorsDecision

Evaluates one request's CORS eligibility.

Parameters

Parameters of check()
NameTypeDescription
$origin(string | null)The request's `Origin` header value, or `null`/empty for a same-origin (or non-browser) request.
$methodstring
$requestHeadersarray<int, string>Header names the request declares it will send (e.g. from a preflight's `Access-Control-Request-Headers`).

Returns

`allowed: false` means the caller MUST reject the request; `allowed: true` carries the response headers to attach.