Add cors.allowedOrigins to define a list of allowed CORS origins

Classes/Dispatcher.php

@@ -77,6 +77,7 @@ public function __construct(
      * @param ServerRequestInterface $request
      * @param ResponseInterface      $response
      * @return ResponseInterface
+     * @throws \Exception
      */
     public function processRequest(ServerRequestInterface $request, ResponseInterface $response)
     {
@@ -97,7 +98,10 @@ public function processRequest(ServerRequestInterface $request, ResponseInterfac
      */
     public function dispatch(RestRequestInterface $request, ResponseInterface $response)
     {
-        return $this->addAdditionalHeaders($this->dispatchInternal($request, $response));
+        return $this->addCorsHeaders(
+            $request,
+            $this->addAdditionalHeaders($this->dispatchInternal($request, $response))
+        );
     }
 
     /**
@@ -146,7 +150,6 @@ private function getResultConverter()
      *
      * @param RestRequestInterface $request
      * @return ResponseInterface
-     * @throws \Exception
      */
     private function callHandler(RestRequestInterface $request)
     {
@@ -243,6 +246,24 @@ private function addAdditionalHeaders(ResponseInterface $response)
         return $response;
     }
 
+    private function addCorsHeaders(RestRequestInterface $request, ResponseInterface $response)
+    {
+        $origin = $request->getHeaderLine('origin');
+        if ($origin) {
+            $allowedOrigins = $this->objectManager
+                ->getConfigurationProvider()
+                ->getSetting('cors.allowedOrigins', []);
+
+            foreach ($allowedOrigins as $allowedOrigin) {
+                if ($allowedOrigin === $origin) {
+                    return $response->withHeader('Access-Control-Allow-Origin', $allowedOrigin);
+                }
+            }
+        }
+
+        return $response;
+    }
+
     /**
      * @param RestRequestInterface $request
      * @param ResponseInterface    $response

Documentation/Configuration/CORS.md

@@ -14,11 +14,18 @@ By controlling the access in your TYPO3 installation, client-side workarounds
 Example
 -------
 
-An example which will allow the local development site on port `3000` to make `GET`, `POST` and preflight requests.
+The following example will allow the local development site on port `3000` and 
+`https://production.com` to make `GET`, `POST` and preflight requests.
+
+The `Access-Control-Allow-Origin` header will be set to the first 
+`cors.allowedOrigins` value that matches the sent `origin` header.
 
 	plugin.tx_rest.settings {
+        cors.allowedOrigins {
+            0 = http://localhost:3000
+            1 = https://production.com
+        }
 		responseHeaders {
-			Access-Control-Allow-Origin = http://localhost:3000
 			Access-Control-Allow-Methods = POST, GET, OPTIONS
 			
 			# Inform the client that credentials may be used

ext_typoscript_setup.txt

@@ -22,6 +22,9 @@ plugin.tx_rest.settings {
     #    Access-Control-Allow-Origin = example.com
     #    Access-Control-Allow-Methods = GET, POST, OPTIONS, DELETE
     #}
+    #cors.allowedOrigins {
+    #    0 = http://localhost:3000
+    #}
 
     # This is not defined here to allow easy customization in third party extensions TypoScript setup
     # cacheLifeTime = -1