Handle invalid Origin header values in CorsMiddleware

[boesing]

Q	A
Bugfix	yes
BC Break	no
New Feature	yes

Description

For requests with invalid Origin URIs (i.e. when using laminas/laminas-diactoros, passing chrome-extension://asdkjasdkjasjkdasjkd will throw InvalidOriginValueException), the CorsMiddleware is throwing an unhandled exception, which ends up in HTTP 500 in mezzio applications (unless the error is catched in the error handler and whyever some1 would then return a different HTTP status code).

So to properly handle this (as it some PSR-7 implementations do allow any scheme), I've created laminas/laminas-diactoros#179.
However, after some feedback and more research, I found out that PSR-7 is actually quite "clear" on what MUST be supported and what MAY be supported:

Implementations MUST support the schemes "http" and "https" case insensitively, and MAY accommodate other schemes if required.

It also states that unsupported schemes may end up in an InvalidArgumentException:

/**
 * Return an instance with the specified scheme.
 *
 * This method MUST retain the state of the current instance, and return
 * an instance that contains the specified scheme.
 *
 * Implementations MUST support the schemes "http" and "https" case
 * insensitively, and MAY accommodate other schemes if required.
 *
 * An empty scheme is equivalent to removing the scheme.
 *
 * @param string $scheme The scheme to use with the new instance.
 * @return static A new instance with the specified scheme.
 * @throws \InvalidArgumentException for invalid or unsupported schemes.
 */
public function withScheme(string $scheme): UriInterface;

---

So as a conclusion, I decided to handle these problems in mezzio-cors since InvalidOriginValueException may also occur for other issues unrelated to the scheme.

So this patch handles InvalidOriginValueException in CorsMiddleware when passing the request to CorsInterface#isCorsRequest and returns an unauthorized response now.
Prior this patch, an unhandled exception (InvalidOriginValueException) was bubbling up the middleware pipeline in mezzio applications and thus, this change might not introduce a real BC break, WDYT?

I am targeting the next minor as I also introduced a way to actually fetch the RAW Origin header value from the InvalidOriginValueException so that consumers of the CorsInterface can access the header value (so does CorsMiddleware).

[Ocramius]

🚢