11

src/ApiKernel.php

@@ -97,14 +97,36 @@ class ApiKernel
         $this->fail('Invalid config', 'config file not found or not returning array', 500);
     }
     private function cors(): void { /* ... Logik bleibt unverändert ... */
-        $cors = $this->conf['cors'] ?? '*';
+        $corsConfig = $this->conf['cors'] ?? '*';
-        if ($cors) {
+        $originHeader = $_SERVER['HTTP_ORIGIN'] ?? '';
-            header('Access-Control-Allow-Origin: ' . $cors);
+        $allowedOrigin = null;
-            header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
+
-            header('Access-Control-Allow-Headers: Content-Type, Authorization');
+        if (is_array($corsConfig)) {
-            header('Access-Control-Allow-Credentials: true');
+            if ($originHeader && in_array($originHeader, $corsConfig, true)) {
+                $allowedOrigin = $originHeader;
+            }
+        } elseif (is_string($corsConfig)) {
+            if ($corsConfig === '*' && $originHeader !== '') {
+                $allowedOrigin = $originHeader;
+            } else {
+                $allowedOrigin = $corsConfig;
+            }
+        }
+
+        if ($allowedOrigin) {
+            header('Access-Control-Allow-Origin: ' . $allowedOrigin);
+            header('Vary: Origin');
+            header('Access-Control-Allow-Credentials: true');
+        } elseif ($corsConfig === '*') {
+            header('Access-Control-Allow-Origin: *');
+        }
+
+        header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
+        header('Access-Control-Allow-Headers: Content-Type, Authorization');
+
+        if (($_SERVER['REQUEST_METHOD'] ?? 'GET') === 'OPTIONS') {
+            $this->respond(['ok' => true]);
         }
-        if (($_SERVER['REQUEST_METHOD'] ?? 'GET') === 'OPTIONS') $this->respond(['ok' => true]);
 
         if (!empty($this->conf['auth']['cookie'])) {
             $c = $this->conf['auth']['cookie'];