0

I'm developing an API with symfony, and of course i've taken cors into account. I installed the nelmio-cors-bundle but the header are not arriving to the client side:

My configuration is this:

nelmio_cors:
    defaults:
        allow_credentials: true
        allow_origin: []
        allow_headers: []
        allow_methods: []
        expose_headers: []
        max_age: 0
        hosts: []
        origin_regex: false
    paths:
        '^/api':
            allow_origin: ['*']
            allow_headers: ['*']
            allow_methods: ['POST', 'PUT', 'GET', 'DELETE']
            max_age: 3600

I get back the following headers:

Allow → GET
Cache-Control → no-cache
Connection → close
Content-Type → application/json
Date → Mon, 16 Mar 2015 03:46:41 GMT
Host → 127.0.0.1:8000
X-Debug-Token → a6ec46
X-Debug-Token-Link → /_profiler/a6ec46
X-Powered-By → PHP/5.5.21

CORS headers are not there.

Can you help me? I'm running my app in symfony's dev server, is this a problem?

Thanks.

danielrvt
  • 10,177
  • 20
  • 80
  • 121
  • I'm using nelmio cors with the same configuration with no problem. Do you test response headers with XHR requests? I'm using the nelmio cors succesfully with mobile apps based on ionic framework and angular ... its working in dev environment as well. – David Marko Mar 16 '15 at 09:42
  • I didn't test xhr requests, I tested in postman. In mobile devices que Phone always allows cross domain requests from the web view. – danielrvt Mar 16 '15 at 11:36
  • I asked because I cant see the headers as well here, but overall its working with my mobile device ... – David Marko Mar 16 '15 at 13:08
  • We are having problem as well with this, and seems like after a few test what's happening is that the header are not sent back unless you send with the request also the origin `curl 'https://www.example.com' -X OPTIONS -H 'Origin: http://localhost:9000' --verbose`, still we are having problems with some request working some not working (not returning cors header) – mtt May 11 '15 at 18:03
  • @mtt I don't understand the 'curl' part... Did you fix your problem yet? I have configured nelmio to allow all methods (something like the OriginalPoster did), but in chrome > network only see `Allow: OPTIONS, GET, HEAD` when sending my post-form – nclsvh Jan 06 '16 at 10:17
  • It was long time ago but as far as I remember we discovered that whenever there was an error on the server side the cors headers were not sent. everything was fine if there was not a 5xx server error that's all I remember sorry! – mtt Jan 06 '16 at 16:51

1 Answers1

1

as it was mentioned in the official documentation :

allow_origin and allow_headers can be set to * to accept any value, the allowed methods however have to be explicitly listed. paths must contain at least one item.

here is a sapmle configuration : 

nelmio_cors:
  defaults:
    allow_credentials: false
    allow_origin: ['^http://localhost:[0-9]+']
    allow_headers: ['*']
    allow_methods: ['POST', 'GET']
    expose_headers: ['*']
    max_age: 0
    hosts: []
    origin_regex: false
    forced_allow_origin_value: ~
  paths:
    '^/':
        origin_regex: true
        allow_origin: ['^http://localhost:[0-9]+']
        allow_headers: ['Authorization']
        allow_methods: ['POST', 'PUT', 'GET', 'DELETE']
        max_age: 3600
Ali
  • 554
  • 4
  • 6