From e28e984278d8020ff7b67f711bf418668ac51f24 Mon Sep 17 00:00:00 2001
From: Alejandro Celaya <alejandro@alejandrocelaya.com>
Date: Tue, 19 Jul 2016 22:38:14 +0200
Subject: [PATCH] Improved CrossDomainMiddleware by allowing the same origin
 that was requested

---
 .../Rest/src/Middleware/CrossDomainMiddleware.php   | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/module/Rest/src/Middleware/CrossDomainMiddleware.php b/module/Rest/src/Middleware/CrossDomainMiddleware.php
index 4fba6944..3019badf 100644
--- a/module/Rest/src/Middleware/CrossDomainMiddleware.php
+++ b/module/Rest/src/Middleware/CrossDomainMiddleware.php
@@ -41,18 +41,17 @@ class CrossDomainMiddleware implements MiddlewareInterface
         }
 
         // Add Allow-Origin header
-        $response = $response->withHeader('Access-Control-Allow-Origin', '*');
+        $response = $response->withHeader('Access-Control-Allow-Origin', $request->getHeader('Origin'));
         if ($request->getMethod() !== 'OPTIONS') {
             return $response;
         }
 
         // Add OPTIONS-specific headers
-        $headers = [
-            'Access-Control-Allow-Methods' => 'GET, POST, PUT, DELETE, OPTIONS', // TODO Should be based on path
-            'Access-Control-Max-Age' => '1000',
-            'Access-Control-Allow-Headers' => $request->getHeaderLine('Access-Control-Request-Headers'),
-        ];
-        foreach ($headers as $key => $value) {
+        foreach ([
+             'Access-Control-Allow-Methods' => 'GET, POST, PUT, DELETE, OPTIONS', // TODO Should be based on path
+             'Access-Control-Max-Age' => '1000',
+             'Access-Control-Allow-Headers' => $request->getHeaderLine('Access-Control-Request-Headers'),
+        ] as $key => $value) {
             $response = $response->withHeader($key, $value);
         }