search

nelmio / NelmioCorsBundle

Adds CORS (Cross-Origin Resource Sharing) headers support in your Symfony application
https://symfony.com/bundles/NelmioCorsBundle/
MIT License
1.89k stars 108 forks source link

Preflight checks should only perform when header "Access-Control-Request-Method" is present #100

Closed d3mo17 closed 5 years ago

d3mo17 commented 6 years ago

Otherwise request method "OPTIONS" exclusively get into a preflight check mode.

https://github.com/nelmio/NelmioCorsBundle/blob/4243c60a96f8b95d5f42a3e65b33a3eebc511491/EventListener/CorsListener.php#L72-L77

You better modify this to something like:

        // perform preflight checks
        if ('OPTIONS' === $request->getMethod() && $request->headers->get('Access-Control-Request-Method') != '') {
            $event->setResponse($this->getPreflightResponse($request, $options));

            return;
        }
Kifah commented 6 years ago

I am having the same issue with symphony 4.1

scion4581 commented 6 years ago

@rekrut I am totaly agree, moreover next lines in getPreflightResponse method will throw exception with 405 code, cause Access-Control-Request-Method is empty

https://github.com/nelmio/NelmioCorsBundle/blob/4243c60a96f8b95d5f42a3e65b33a3eebc511491/EventListener/CorsListener.php#L147-L152

Slimilar closed issue #21

LPodolski commented 6 years ago

yes. it's a bug, currently this lib is not compatible with CORS spec, explained here: https://github.com/nelmio/NelmioCorsBundle/issues/21#issuecomment-418023782

zegenie commented 5 years ago

I'm also seeing this bug, where the preflight check kicks in for valid OPTIONS requests that are not preflight requests, as mentioned in a previous comment. Will this be fixed?