From 110394a9c6d55cc61cc69b01cfc868cb90500f0d Mon Sep 17 00:00:00 2001
From: Loz Calver <lozcalver@bigfork.co.uk>
Date: Mon, 20 Mar 2023 12:49:48 +0000
Subject: [PATCH] FIX: Don't 403 error when origin is on CORS-disallowed (fixes
 #519)

---
 src/Controller.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/Controller.php b/src/Controller.php
index 571c9e50..e130e399 100644
--- a/src/Controller.php
+++ b/src/Controller.php
@@ -184,17 +184,17 @@ public function addCorsHeaders(HTTPRequest $request, HTTPResponse $response): HT
             return $response;
         }
 
-        // Calculate origin
+        // Get origin - only one host name is allowed in the Allow-Origin header, so we must return the current origin
         $origin = $this->getRequestOrigin($request);
 
-        // Check if valid
+        // Only output an Allow-Origin header if the current origin is a valid one
         $allowedOrigins = (array)$corsConfig['Allow-Origin'];
-        $originAuthorised = $this->validateOrigin($origin, $allowedOrigins);
-        if (!$originAuthorised) {
-            $this->httpError(403, "Access Forbidden");
+        if ($this->validateOrigin($origin, $allowedOrigins)) {
+            // Ensure '*' is output if all origins are allowed, otherwise use current origin
+            $allowedOrigin = $corsConfig['Allow-Origin'] === '*' ? '*' : $origin;
+            $response->addHeader('Access-Control-Allow-Origin', $allowedOrigin);
         }
 
-        $response->addHeader('Access-Control-Allow-Origin', $origin);
         $response->addHeader('Access-Control-Allow-Headers', $corsConfig['Allow-Headers']);
         $response->addHeader('Access-Control-Allow-Methods', $corsConfig['Allow-Methods']);
         $response->addHeader('Access-Control-Max-Age', $corsConfig['Max-Age']);