AllowListCorsPolicy
Static allow-list {@see CorsPolicyInterface}: a request is allowed only if its method, `Origin`, and every requested header are each on their respective configured allow-list. A missing/empty `Origin` (same-origin or non-browser request) is always allowed — CORS only governs cross-origin browser requests.
AllowListCorsPolicy::__construct()
public function __construct(array $allowedOrigins, array $allowedMethods = [], array $allowedHeaders = [], bool $allowCredentials = false, int $maxAge = 600):Parameters
| Name | Type | Description |
|---|---|---|
| $allowedOrigins | array<int, string> | |
| $allowedMethods | array<int, string> | |
| $allowedHeaders | array<int, string> | |
| $allowCredentials | bool | |
| $maxAge | int |
AllowListCorsPolicy::check()
public function check(?string $origin, string $method, array $requestHeaders = []): Milpa\Live\ValueObjects\CorsDecisionEvaluates one CORS preflight/request against the configured allow-lists. A denial carries a machine-readable `reason` (`method_not_allowed`, `origin_not_allowed`, `header_not_allowed`); an allowed cross-origin request carries the response headers the caller should emit.
Parameters
| Name | Type | Description |
|---|---|---|
| $origin | ?string | |
| $method | string | |
| $requestHeaders | array |