Skip to content
docsv0.1.0

AllowListCorsPolicy

Static allow-list {@see CorsPolicyInterface}: a request is allowed only if its method, `Origin`, and every requested header are each on their respective configured allow-list. A missing/empty `Origin` (same-origin or non-browser request) is always allowed — CORS only governs cross-origin browser requests.

AllowListCorsPolicy::__construct()

public function __construct(array $allowedOrigins, array $allowedMethods = [], array $allowedHeaders = [], bool $allowCredentials = false, int $maxAge = 600):

Parameters

Parameters of __construct()
NameTypeDescription
$allowedOriginsarray<int, string>
$allowedMethodsarray<int, string>
$allowedHeadersarray<int, string>
$allowCredentialsbool
$maxAgeint

AllowListCorsPolicy::check()

public function check(?string $origin, string $method, array $requestHeaders = []): Milpa\Live\ValueObjects\CorsDecision

Evaluates one CORS preflight/request against the configured allow-lists. A denial carries a machine-readable `reason` (`method_not_allowed`, `origin_not_allowed`, `header_not_allowed`); an allowed cross-origin request carries the response headers the caller should emit.

Parameters

Parameters of check()
NameTypeDescription
$origin?string
$methodstring
$requestHeadersarray