[9.x] Integrate Laravel CORS into framework (#41137)

* Add HandleCors middleware

* Port tests

* Apply fixes from StyleCI

* wip

* wip

* wip

* wip

* Update HandleCors.php

Co-authored-by: StyleCI Bot <bot@styleci.io>
Co-authored-by: Taylor Otwell <taylor@laravel.com>

composer.json

@@ -24,6 +24,7 @@
         "laravel/serializable-closure": "^1.0",
         "league/commonmark": "^2.2",
         "league/flysystem": "^3.0",
+        "fruitcake/php-cors": "^1.2",
         "monolog/monolog": "^2.0",
         "nesbot/carbon": "^2.53.1",
         "psr/container": "^1.1.1|^2.0.1",

src/Illuminate/Http/Middleware/HandleCors.php

@@ -0,0 +1,112 @@
+<?php
+
+namespace Illuminate\Http\Middleware;
+
+use Closure;
+use Fruitcake\Cors\CorsService;
+use Illuminate\Contracts\Container\Container;
+use Illuminate\Http\Request;
+
+class HandleCors
+{
+    /**
+     * The container instance.
+     *
+     * @var \Illuminate\Contracts\Container\Container
+     */
+    protected $container;
+
+    /**
+     * The CORS service instance.
+     *
+     * @var \Fruitcake\Cors\CorsService
+     */
+    protected $cors;
+
+    /**
+     * Create a new middleware instance.
+     *
+     * @param  \Illuminate\Contracts\Container\Container  $container
+     * @param  \Fruitcake\Cors\CorsService  $cors
+     * @return void
+     */
+    public function __construct(Container $container, CorsService $cors)
+    {
+        $this->container = $container;
+        $this->cors = $cors;
+    }
+
+    /**
+     * Handle the incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return \Illuminate\Http\Response
+     */
+    public function handle($request, Closure $next)
+    {
+        if (! $this->hasMatchingPath($request)) {
+            return $next($request);
+        }
+
+        $this->cors->setOptions($this->container['config']->get('cors', []));
+
+        if ($this->cors->isPreflightRequest($request)) {
+            $response = $this->cors->handlePreflightRequest($request);
+
+            $this->cors->varyHeader($response, 'Access-Control-Request-Method');
+
+            return $response;
+        }
+
+        $response = $next($request);
+
+        if ($request->getMethod() === 'OPTIONS') {
+            $this->cors->varyHeader($response, 'Access-Control-Request-Method');
+        }
+
+        return $this->cors->addActualRequestHeaders($response, $request);
+    }
+
+    /**
+     * Get the path from the configuration to determine if the CORS service should run.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return bool
+     */
+    protected function hasMatchingPath(Request $request): bool
+    {
+        $paths = $this->getPathsByHost($request->getHost());
+
+        foreach ($paths as $path) {
+            if ($path !== '/') {
+                $path = trim($path, '/');
+            }
+
+            if ($request->fullUrlIs($path) || $request->is($path)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Get the CORS paths for the given host.
+     *
+     * @param  string  $host
+     * @return array
+     */
+    protected function getPathsByHost(string $host)
+    {
+        $paths = $this->container['config']->get('cors.paths', []);
+
+        if (isset($paths[$host])) {
+            return $paths[$host];
+        }
+
+        return array_filter($paths, function ($path) {
+            return is_string($path);
+        });
+    }
+}

src/Illuminate/Http/Middleware/TrustHosts.php

@@ -36,7 +36,7 @@ abstract public function hosts();
      * Handle the incoming request.
      *
      * @param  \Illuminate\Http\Request  $request
-     * @param  callable  $next
+     * @param  \Closure  $next
      * @return \Illuminate\Http\Response
      */
     public function handle(Request $request, $next)

src/Illuminate/Http/composer.json

@@ -16,6 +16,7 @@
     "require": {
         "php": "^8.0.2",
         "ext-json": "*",
+        "fruitcake/php-cors": "^1.2",
         "illuminate/collections": "^9.0",
         "illuminate/macroable": "^9.0",
         "illuminate/session": "^9.0",