search

nelmio / NelmioCorsBundle

Adds CORS (Cross-Origin Resource Sharing) headers support in your Symfony application
https://symfony.com/bundles/NelmioCorsBundle/
MIT License
1.89k stars 108 forks source link

allow_credentials: true is ignored #196

Closed hulvat closed 9 months ago

hulvat commented 9 months ago

Hi, this is my configuration in symfony 6.4 nelmio_cors.yaml

nelmio_cors:
    defaults:
        allow_credentials: true
        allow_origin: ['https://localhost:3000']
        allow_headers: ['Access-Control-Allow-Headers', 'Origin','Accept', 'X-Requested-With', 'Content-Type', 'Access-Control-Request-Method', 'Access-Control-Request-Headers','Access-Control-Allow-Methods','Access-Control-Allow-Credentials']
        allow_methods: ['GET', 'POST', 'OPTIONS', 'PUT', 'DELETE', 'PATCH']
        expose_headers: []
        max_age: 0
        hosts: []
        origin_regex: false
        forced_allow_origin_value: ~
        skip_same_as_origin: true

But i have this alert in console

Access to XMLHttpRequest at 'https://localhost/api/login' from origin 'https://localhost:3000' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

When i add manualy this directive header("Access-Control-Allow-Credentials: true"); to index.php everything is running ok, so it seems that nelmio cors config directive allow_credentials: true is ignored