search

nelmio / NelmioCorsBundle

Adds CORS (Cross-Origin Resource Sharing) headers support in your Symfony application
https://symfony.com/bundles/NelmioCorsBundle/
MIT License
1.89k stars 108 forks source link

Request in firefox returns access-control-allow-origin: null #135

Open ghost opened 5 years ago

ghost commented 5 years ago

I've got a pretty much default setup.

nelmio_cors:
    defaults:
        origin_regex: true
        allow_origin: ['https://localhost:8080']
        allow_methods: ['OPTIONS', 'GET', 'POST', 'PUT', 'PATCH', 'DELETE']
        allow_headers: ['Content-Type', 'Authorization']
        expose_headers: ['Link']
        max_age: 3600
    paths:
        '^/': ~

When i make a request from Chrome, the headers are set as expected:

access-control-allow-headers: content-type, authorization
access-control-allow-methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
access-control-allow-origin: https://localhost:8080
access-control-max-age: 3600

But when I make the exact same request from Firefox, the following headers are return:

access-control-allow-headers: content-type, authorization
access-control-allow-methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
access-control-allow-origin: null
access-control-max-age: 3600

How can the result for allow-origin be null in this case?

FYI, the request headers from FF look like this:

Host: localhost:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Origin: https://127.0.0.1:8080
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
nehmalho commented 2 years ago

hi facing same issue in FF, chrome and edge header appending properly. Any reason why access-control-allow-origin is null in Firefox and change to do.

botjaeger commented 2 years ago

Encountered this same exact issue now.

Seldaek commented 1 year ago

You mentioned the request header on Firefox is Origin: https://127.0.0.1:8080 - what is Chrome sending as Origin header? I imagine this might be the issue.. as your allow_origin is https://localhost:8080 it may not match it if firefox sends the IP. So in development if you don't use a hostname I'd suggest adding both the local IP and localhost to the allow_origin array.