fix: access control headers forwarding

src/CdnPhpBundle.php

@@ -27,7 +27,7 @@
         /** @var ArrayNodeDefinition $treeBuilder */
         $treeBuilder = $definition->rootNode();
 
         $treeBuilder
             ->children()
                 ->arrayNode('proxy')->isRequired()
                     ->children()
@@ -35,6 +35,7 @@
                         ->scalarNode('url')->isRequired()->end()
                         ->booleanNode('check_assets')->defaultTrue()->end()
                         ->booleanNode('encrypted_parameters')->defaultFalse()->end()
+                        ->scalarNode('cors_allow_origin')->defaultValue('*')->end()
                     ->end()
                 ->end() // proxy
                 ->arrayNode('encrypter')->addDefaultsIfNotSet()
@@ -66,6 +67,7 @@
                 ->arg('$assetsPath', $config['proxy']['assets_path'])
                 ->arg('$checkAssets', $config['proxy']['check_assets'])
                 ->arg('$cdnPhpUrl', $config['proxy']['url'])
+                ->arg('$corsAllowOrigin', $config['proxy']['cors_allow_origin'])
         ;
 
         $container->services()

src/Proxy.php

@@ -32,6 +32,7 @@ public function __construct(
         private readonly HttpClientInterface $client,
         private readonly string $cdnPhpUrl,
         private readonly Signer $signer,
+        private readonly ?string $corsAllowOrigin = null,
         private readonly ?FallbackHandlerInterface $fallbackHandler = null,
     ) {
         parent::__construct($assetsPath);
@@ -88,11 +89,18 @@ public function response(string $file, ?Options $options = null, array $headers
             }
 
             foreach ($responseHeaders as $header => $values) {
-                if (true === str_starts_with($header, 'x-') || true === str_starts_with($header, 'cf-')) {
+                if (true === str_starts_with($header, 'x-')
+                    || true === str_starts_with($header, 'cf-')
+                    || true === str_starts_with($header, 'access-control-')
+                ) {
                     $newResponse->headers->set($header, $values);
                 }
             }
 
+            if (null !== $this->corsAllowOrigin) {
+                $newResponse->headers->set('Access-Control-Allow-Origin', $this->corsAllowOrigin);
+            }
+
             $newResponse->headers->set(AbstractSessionListener::NO_AUTO_CACHE_CONTROL_HEADER, 'true');
         } catch (\Throwable $e) {
             if ($this->fallbackHandler instanceof FallbackHandlerInterface) {

tests/ProxyTest.php

@@ -46,6 +46,7 @@ private function makeProxy(
         bool $checkAssets = false,
         ?FallbackHandlerInterface $fallback = null,
         ?Signer $signer = null,
+        ?string $corsAllowOrigin = '*',
     ): Proxy {
         return new Proxy(
             self::ASSETS_PATH,
@@ -54,6 +55,7 @@ private function makeProxy(
             $client,
             self::CDN_URL,
             $signer ?? new Signer(),
+            $corsAllowOrigin,
             $fallback,
         );
     }
@@ -137,6 +139,58 @@ public function testResponseForwardsAllXPrefixedHeaders(): void
         self::assertSame('my-value', $response->headers->get('x-my-custom'));
     }
 
+    public function testResponseForwardsAccessControlHeadersFromCdn(): void
+    {
+        $client = new MockHttpClient(
+            new MockResponse(
+                'font-content',
+                [
+                    'response_headers' => [
+                        'access-control-allow-origin' => ['https://example.com'],
+                        'access-control-expose-headers' => ['Content-Length'],
+                    ],
+                ]
+            )
+        );
+
+        $response = $this->makeProxy($client, corsAllowOrigin: null)->response('font.woff2');
+
+        self::assertSame('https://example.com', $response->headers->get('access-control-allow-origin'));
+        self::assertSame('Content-Length', $response->headers->get('access-control-expose-headers'));
+    }
+
+    public function testResponseSetsCorsAllowOriginWhenConfigured(): void
+    {
+        $client = new MockHttpClient(new MockResponse('font-content'));
+
+        $response = $this->makeProxy($client, corsAllowOrigin: '*')->response('font.woff2');
+
+        self::assertSame('*', $response->headers->get('access-control-allow-origin'));
+    }
+
+    public function testResponseDoesNotSetCorsHeaderWhenCorsAllowOriginIsNull(): void
+    {
+        $client = new MockHttpClient(new MockResponse('font-content'));
+
+        $response = $this->makeProxy($client, corsAllowOrigin: null)->response('font.woff2');
+
+        self::assertFalse($response->headers->has('access-control-allow-origin'));
+    }
+
+    public function testConfiguredCorsOriginOverridesCdnCorsHeader(): void
+    {
+        $client = new MockHttpClient(
+            new MockResponse(
+                'font-content',
+                ['response_headers' => ['access-control-allow-origin' => ['https://cdn.example.com']]]
+            )
+        );
+
+        $response = $this->makeProxy($client, corsAllowOrigin: '*')->response('font.woff2');
+
+        self::assertSame('*', $response->headers->get('access-control-allow-origin'));
+    }
+
     public function testResponseForwardsAllCfPrefixedHeaders(): void
     {
         $client = new MockHttpClient(