From e3512c977a7c4f05207bb312f97dafd1e50f62ed Mon Sep 17 00:00:00 2001
From: Bernhard Posselt <nukeawhale@gmail.com>
Date: Mon, 2 Sep 2013 14:34:58 +0200
Subject: still trying to fix cors

---
 external/newsapi.php          |  6 +++---
 middleware/corsmiddleware.php | 13 ++++++-------
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/external/newsapi.php b/external/newsapi.php
index 2400041cb..489f27f72 100644
--- a/external/newsapi.php
+++ b/external/newsapi.php
@@ -80,13 +80,13 @@ class NewsAPI extends Controller {
 	public function cors() {
 		// needed for webapps access due to cross origin request policy
 		if(array_key_exists('Origin', $this->request->server)) {
-			$allowed = $this->request->server['Origin'];
+			$origin = $this->request->server['Origin'];
 		} else {
-			$allowed = '*';
+			$origin = '*';
 		}
 
 		$response = new Response();
-		$response->addHeader('Access-Control-Allow-Origin', $allowed);
+		$response->addHeader('Access-Control-Allow-Origin', $origin);
 		$response->addHeader('Access-Control-Allow-Methods', 'PUT, POST, GET, DELETE');
 		$response->addHeader('Access-Control-Allow-Credentials', 'true');
 		$response->addHeader('Access-Control-Allow-Headers', 'Authorization, Content-Type');
diff --git a/middleware/corsmiddleware.php b/middleware/corsmiddleware.php
index 7bde0a891..e0d3e23ad 100644
--- a/middleware/corsmiddleware.php
+++ b/middleware/corsmiddleware.php
@@ -52,15 +52,14 @@ class CORSMiddleware extends Middleware {
 	public function afterController($controller, $methodName, Response $response){
 		$annotationReader = new MethodAnnotationReader($controller, $methodName);
 
-		if(array_key_exists('Origin', $this->request->server)) {
-			$allowed = $this->request->server['Origin'];
-		} else {
-			$allowed = '*';
-		}
+		// only react if its an API request and if the request sends origin
+		if(array_key_exists('Origin', $this->request->server) &&
+			$annotationReader->hasAnnotation('API')) {
 
-		if($annotationReader->hasAnnotation('API')) {
-			$response->addHeader('Access-Control-Allow-Origin', $allowed);
+			$origin = $this->request->server['Origin'];
+			$response->addHeader('Access-Control-Allow-Origin', $origin);
 			$response->addHeader('Access-Control-Allow-Credentials', 'true');
+			
 		}
 		return $response;
 	}
-- 
cgit v1.2.3