Closed grekpg closed 4 years ago
This is a valid point. We are also facing this but then with Symfony's HTTP Cache kernel.
We configured a proper CORS policy, but as the HTTP Cache returns a valid cache hit when the origin is different this leads to errors on the client side.
Using forced_allow_origin_value
to force the value to *
would solve this, but that would not be the right solution as it would invalidate our entire CORS policy.
Update: response headers also get cached. Make sure to include the right differentiators to the response Vary header.
In this case Origin should also get included, because this bundle uses it to calculate the CORS response headers.
@rvanlaak I'm having the same issue. How did you add the Vary header when a specific Access-Control-Allow-Origin
is returned? In this bundle or did you go with your own solution?
I will file a PR for this. Origin
should get added to the Vary
header in case the response is cacheable.
The solution for Symfony would be to add a event subscriber that subscribes to KernelEvents::RESPONSE
.
@adri created PR #156 , can you see if that branch fixes your use case as well?
@rvanlaak Thanks a lot! I actually ended up implementing CORS in a load balancer. Also to unload PHP from dealing with OPTIONS requests. I think your PR is super helpful though. Hope it gets merged 🙏
I use varnish cache - when open cachable api request on first domain - i get in response headers
Accept-Ranges: bytes Access-Control-Allow-Origin: http://app.local Access-Control-Expose-Headers: link Age: 12 Cache-Control: public Connection: keep-alive Content-Length: 6722 Content-Type: application/json Date: Thu, 21 Mar 2019 12:09:28 GMT Expires: Fri, 22 Mar 2019 00:00:00 GMT Server: nginx/1.10.3 (Ubuntu)
so varnish save this header , when i open this page from other domain - have ....as been blocked by CORS policy: The 'Access-Control-Allow-Origin'...
NelmioCorsBundle - return refferer page ? when i have * ?