feat(#3541756): set default CORS allowedHeaders.

[Decipher]

Summary by CodeRabbit

• New Features
  • CORS is now enabled by default with a wildcard allowed-headers setting when none is specified, improving cross-site request compatibility out of the box.
• Tests
  • Expanded integration tests to verify the default wildcard allowed-headers behavior for CORS.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Adds a default CORS allowed header of '*' when enabling CORS in DruxtServiceProvider::alter if none are set, and updates the functional test to assert this default.

Changes

Cohort / File(s)	Summary
CORS default headers handling src/DruxtServiceProvider.php	In alter(), when enabling CORS and allowedHeaders is empty, set allowedHeaders to ['*'] before persisting cors.config. Added clarifying comment.
Tests tests/src/Functional/CorsIntegrationTest.php	Extended testCrossSiteRequestEnabled to assert cors.config.allowedHeaders[0] is '*'.

Sequence Diagram(s)

sequenceDiagram
  participant SP as DruxtServiceProvider::alter
  participant Cfg as cors.config
  SP->>Cfg: Read enabled, allowedHeaders
  alt CORS disabled
    SP->>Cfg: If allowedHeaders empty, set ['*']
    SP->>Cfg: Set enabled = true
    SP->>Cfg: Save updated config
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A whisk, a hop, a header star,
Now CORS will greet from near and far.
I nibbled code, set “*” to play,
So cross-site calls can find their way.
Thump-thump! The tests all pass—hooray! 🐇✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/3541756-allowed_headers

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Decipher]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/DruxtServiceProvider.php (1)

22-26: Use empty() and initialize the array to avoid notices; assign instead of append.

• count($cors_config['allowedHeaders']) can emit a notice if the key is unset/non-array.
• Prefer initializing the array when empty/undefined and assigning ['*'] rather than appending. This is both clearer and safer.

Apply this diff:

-      // Set allowed headers to '*' by default.
-      if (count($cors_config['allowedHeaders']) === 0) {
-        $cors_config['allowedHeaders'][] = '*';
-      }
+      // Set allowed headers to '*' by default when empty/undefined.
+      if (empty($cors_config['allowedHeaders'])) {
+        $cors_config['allowedHeaders'] = ['*'];
+      }

Please confirm that in all supported environments, cors.config['allowedHeaders'] may be absent or empty (e.g., across Drupal core versions you target), so this guard is appropriate and won’t mask unexpected shapes.

tests/src/Functional/CorsIntegrationTest.php (1)

30-30: Make the assertion robust: assert presence rather than array index.

Index-based assertion is brittle. Prefer asserting that '*' is present in the list. Also keep expected argument first when using equals.

Apply this diff:

-    $this->assertEquals($cors_config['allowedHeaders'][0], '*');
+    $this->assertContains('*', $cors_config['allowedHeaders']);

If you intentionally require '*' to be the first element, clarify that contract and ensure the service provider enforces ordering accordingly. Otherwise, the presence check is safer across core defaults.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between dab047e and 305ed5d.

📒 Files selected for processing (2)

• src/DruxtServiceProvider.php (1 hunks)
• tests/src/Functional/CorsIntegrationTest.php (1 hunks)

🔇 Additional comments (1)

src/DruxtServiceProvider.php (1)

19-21: Comment clarifies intent.

The inline comment complements the class-level docblock and makes the enablement step self-explanatory.