Open mlutfy opened 4 years ago
Thank you for posting this! We should figure out a way to include this in the docs.
Maybe even make it a mini-contrib module for the D8 remote site.
We've had to do that exact same thing in a services.yml file for one site You can give services settings in a module_name.services.yml file
in a custom module, say custom_cors custom_cors.services.yml change your settings to what you want here
parameters:
cors.config:
enabled: true
# Specify allowed headers, like 'x-allowed-header'.
allowedHeaders: ['Content-type']
# Specify allowed request methods, specify ['*'] to allow all possible ones.
allowedMethods: ['*']
# Configure requests allowed from specific origins.
allowedOrigins: []
# Sets the Access-Control-Expose-Headers header.
exposedHeaders: false
# Sets the Access-Control-Max-Age header.
maxAge: 3600
# Sets the Access-Control-Allow-Credentials header.
supportsCredentials: true
If you want to override the cors service use a Service provider / Service Modifier, can really do anything you want by overriding the different methods.
in a src/CustomCorsServiceProvider.php
<?php
namespace Drupal\custom_cors;
use Drupal\Core\DependencyInjection\ContainerBuilder;
use Drupal\Core\DependencyInjection\ServiceProviderBase;
/**
* Alter the service container to use a custom class.
*/
class CustomCorsServiceProvider implements ServiceProviderBase {
/**
* {@inheritdoc}
*
* Overrides the CORS service (http_middleware.cors) to change some
* functionality.
*/
public function alter(ContainerBuilder $container) {
$container->getDefinition('http_middleware.cors')->setClass(CustomCors::class);
}
}
Then a service class, in src/CustomCors.php
<?php
namespace Drupal\custom_cors;
use Asm89\Stack\Cors;
use Symfony\Component\HttpKernel\HttpKernelInterface;
/**
* Add Allowed Origins white listed domains list
*/
class CustomCors extends Cors {
// do cool custom stuff
Now that I think about it, this approach would be great in combination with this extension. This custom module we have has an admin form where the admin user can enter allowed domains .. so it plugs that security hole real well. You only allow CORS connections from domains you whitelist.
All it takes is the config form, and then load the config settings set the values for the 'allowedOrigins' service parameter in the custom service constructor.
Thanks Mark, those are really good leads.
I was wondering why Drupal does not already have a module to handle CORS configs? Would it be hard to extract your existing code from a custom module, and post it on drupal.org? (It's not specific to remoteforms)
On the other hand, if editing services.yml is the recommended method (imho it assumes that Drupal 8/9 admins are fairly technical, but maybe that's accurate), a module might not be necessary?
Correct, a module is not necessary .. allowedOrigins can other things can be edited in the site's global services.yml. I could make the custom we had a module, maybe call it cors_whitelist or something .. I'll think about what we have and make sure it's general enough and see about putting on Drupal.org
This one particularly confused me, so maybe it can help others:
To my understanding, Drupal8 handles CORS rather differently that Drupal7:
https://www.drupal.org/node/2715637
To get remoteform to work, I had to do the following to the
services.yml
of my site (insites/default/services.yml
)then flush cache (
drush cr
).