In 1.5.6, forced_allow_origin_value does not behave as documented and ignores allowed domains

[chrif]

The response listener for forced_allow_origin_value is added before the call to checkOrigin. This results in the Access-Control-Allow-Origin header being added regardless of the allow_origin config, which is the opposite of the documented behavior:

Be aware that even if you set forced_allow_origin_value to *, if you also set allow_origin to http://example.com,
only this specific domain will be allowed to access your resources.

I need the latest version of Nelmio supporting Symfony 3. I tried to use dev-master as it seems fixed there, but it requires Symfony 4. Would a patch for Symfony 3 be possible?

In the meantime I'll just extend the listener and check origin there:

final class CorsListener extends \Nelmio\CorsBundle\EventListener\CorsListener {

	public function forceAccessControlAllowOriginHeader(FilterResponseEvent $event) {
		if (!$options = $this->configurationResolver->getOptions($request = $event->getRequest())) {
			return;
		}

		if (!$this->checkOrigin($request, $options)) {
			return;
		}

		$event->getResponse()->headers->set('Access-Control-Allow-Origin', $options['forced_allow_origin_value']);
	}

}

Thanks!

[Seldaek]

Just tagged 2.0 out of master, so yeah there is no way back there, but could do a 1.5.7 with the fix if you can figure out what the problem is. There weren't that many changes in between 1.5.6...master Sorry right now don't have time to investigate further.

[rvanlaak]

Would it be possible to enhance Symfony's Http Cache so it could work together with the allow_origin policy, so we do not need to set forced_allow_origin_value ?

[gndk]

This is still broken, as the fix only applied to preflight requests.

[Seldaek]

I'm not sure here if this should be fixed or not #72 is the reason it is always set I believe - but maybe it isn't needed anymore now that we set Vary:Origin on response headers