Closed RiseAndCry closed 4 years ago
If the origin is not matched, forcing the value doesn't make a ton of sense IMO, except when you need to cache the responses. If the responses are not cached, then a browser receiving no allow cors headers back will just assume the request is not allowed, which is fine.
Oh, that's what i've been missing (no header is considered failure), got it. Thanks !
let's say i use
allow_origin: ['http://example.com']
and make a request with headerOrigin: http://something.com
. because the methodcheckOrigin
(inonKernelRequest
) returns false, theaccess-control-allow-origin
header is not set. Doesn't that defeat the purpose of CORS ? or am i misunderstanding something ?i'm guessing this is what
forced_allow_origin_value
is for, but it's very limited - allows only string (thus one domain), while it should have the same restrictions asallow_origin
(including regex support), should it not ?