search

nelmio / NelmioCorsBundle

Adds CORS (Cross-Origin Resource Sharing) headers support in your Symfony application
https://symfony.com/bundles/NelmioCorsBundle/
MIT License
1.89k stars 108 forks source link

if origin is not allowed, the `access-control-allow-origin` is not set #155

Closed RiseAndCry closed 4 years ago

RiseAndCry commented 4 years ago

let's say i use allow_origin: ['http://example.com'] and make a request with header Origin: http://something.com. because the method checkOrigin (in onKernelRequest) returns false, the access-control-allow-origin header is not set. Doesn't that defeat the purpose of CORS ? or am i misunderstanding something ?

i'm guessing this is what forced_allow_origin_value is for, but it's very limited - allows only string (thus one domain), while it should have the same restrictions as allow_origin (including regex support), should it not ?

Seldaek commented 4 years ago

If the origin is not matched, forcing the value doesn't make a ton of sense IMO, except when you need to cache the responses. If the responses are not cached, then a browser receiving no allow cors headers back will just assume the request is not allowed, which is fine.

RiseAndCry commented 4 years ago

Oh, that's what i've been missing (no header is considered failure), got it. Thanks !