Merge pull request #460 from Shopify/191/add-access-control-headers

chore: Add access control headers for embedded apps

web/app/Http/Kernel.php

@@ -21,6 +21,7 @@ class Kernel extends HttpKernel
         \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
         \App\Http\Middleware\TrimStrings::class,
         \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
+        \App\Http\Middleware\AccessControlHeaders::class,
     ];
 
     /**

web/app/Http/Middleware/AccessControlHeaders.php

@@ -0,0 +1,33 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Http\Response;
+use Shopify\Context;
+
+class AccessControlHeaders
+{
+    /**
+     * Ensures that Access Control Headers are set for embedded apps.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        if (Context::$IS_EMBEDDED_APP) {
+
+            /** @var Response $response */
+            $response = $next($request);
+
+            $response->headers->set("Access-Control-Allow-Origin", "*");
+            $response->headers->set("Access-Control-Allow-Header", "Authorization");
+            $response->headers->set("Access-Control-Expose-Headers", 'X-Shopify-API-Request-Failure-Reauthorize-Url');
+
+            return $response;
+        }
+    }
+}