Details

      Description

      Cross-Origin Resource Sharing (CORS) is a W3C spec that allows cross-domain communication from the browser. From an API/Server perspective this relies on some headers send in the HTTP Request/Response + the support of OPTIONS request (the preflight request in the spec) so that the browser can transparently check whether CORS is supported or not.

      At the moment, the REST API v2 does not support the OPTIONS requests. In addition the required headers in API responses can be added with a (quite tricky) Apache configuration but IMHO, this should be handled by the REST bundle.

      Requirements

      • semantical configuration for allowed cross domains, including * (all)
      • return the request's origin: Access-Control-Allow-Origin: http://origin.example.com (or *)
      • OPTIONS must return the list of allowed methods. For now, it can be identical to the "normal" OPTIONS response, Allow, but using the Access-Control-Allow-Methods header
      • every CORS request must A) check if the origin is acceptable based on configuration, and refuse to reply if it isn't B) include the appropriate Access-Control headers
      • ... to be continued

      References

        Issue Links

          Activity

          Show
          Bertrand Dunogier added a comment - - edited Pull-requests: nelmio/NelmioCorsBundle#16 ezsystems/ezpublish-community#89 ezsystems/ezpublish-kernel#663
          Show
          Bertrand Dunogier added a comment - Documentation: https://confluence.ez.no/display/EZP/Cross-Origin+HTTP+requests .
          Hide
          Bertrand Dunogier added a comment -

          Pull request merged.

          Show
          Bertrand Dunogier added a comment - Pull request merged.
          Hide
          Bertrand Dunogier added a comment -

          Why is it wrong ? It allows example.com by default, while your example allows it only for /api/*.

          Show
          Bertrand Dunogier added a comment - Why is it wrong ? It allows example.com by default, while your example allows it only for /api/*.
          Hide
          Pedro Resende (Inactive) added a comment -

          If you use as described in the documentation https://confluence.ez.no/display/EZP/Cross-Origin+HTTP+requests

          nelmio_cors:
              default:
                  allow_origin: [ 'http://example.com' ]

          You'll get the following fatal error

          Fatal error: Uncaught exception 'Symfony\Component\Config\Definition\Exception\InvalidConfigurationException' with message 'Unrecognized options "default" under "nelmio_cors"' in /var/www/apache2php53/ezp/vendor/symfony/symfony/src/Symfony/Component/Config/Definition/ArrayNode.php:316 Stack trace: #0 /var/www/apache2php53/ezp/vendor/symfony/symfony/src/Symfony/Component/Config/Definition/BaseNode.php(268): Symfony\Component\Config\Definition\ArrayNode->normalizeValue(Array) #1 /var/www/apache2php53/ezp/vendor/symfony/symfony/src/Symfony/Component/Config/Definition/Processor.php(33): Symfony\Component\Config\Definition\BaseNode->normalize(Array) #2 /var/www/apache2php53/ezp/vendor/symfony/symfony/src/Symfony/Component/Config/Definition/Processor.php(50): Symfony\Component\Config\Definition\Processor->process(Object(Symfony\Component\Config\Definition\ArrayNode), Array) #3 /var/www/apache2php53/ezp/vendor/symfony/symfony/src/Symfony/Component/DependencyInjection/Extension/Extension.php(107): Symfony\Component\Config\Definit in /var/www/apache2php53/ezp/vendor/symfony/symfony/src/Symfony/Component/Config/Definition/ArrayNode.php on line 316 503 Service Unavailable

          Show
          Pedro Resende (Inactive) added a comment - If you use as described in the documentation https://confluence.ez.no/display/EZP/Cross-Origin+HTTP+requests nelmio_cors: default: allow_origin: [ 'http://example.com' ] You'll get the following fatal error Fatal error: Uncaught exception 'Symfony\Component\Config\Definition\Exception\InvalidConfigurationException' with message 'Unrecognized options "default" under "nelmio_cors"' in /var/www/apache2php53/ezp/vendor/symfony/symfony/src/Symfony/Component/Config/Definition/ArrayNode.php:316 Stack trace: #0 /var/www/apache2php53/ezp/vendor/symfony/symfony/src/Symfony/Component/Config/Definition/BaseNode.php(268): Symfony\Component\Config\Definition\ArrayNode->normalizeValue(Array) #1 /var/www/apache2php53/ezp/vendor/symfony/symfony/src/Symfony/Component/Config/Definition/Processor.php(33): Symfony\Component\Config\Definition\BaseNode->normalize(Array) #2 /var/www/apache2php53/ezp/vendor/symfony/symfony/src/Symfony/Component/Config/Definition/Processor.php(50): Symfony\Component\Config\Definition\Processor->process(Object(Symfony\Component\Config\Definition\ArrayNode), Array) #3 /var/www/apache2php53/ezp/vendor/symfony/symfony/src/Symfony/Component/DependencyInjection/Extension/Extension.php(107): Symfony\Component\Config\Definit in /var/www/apache2php53/ezp/vendor/symfony/symfony/src/Symfony/Component/Config/Definition/ArrayNode.php on line 316 503 Service Unavailable
          Hide
          Bertrand Dunogier added a comment -

          It's 'defaults', with an 's'. I have fixed the Confluence page. Can you confirm ?

          Show
          Bertrand Dunogier added a comment - It's 'defaults', with an 's'. I have fixed the Confluence page. Can you confirm ?
          Hide
          Pedro Resende (Inactive) added a comment -

          You're right, its defaults

          Show
          Pedro Resende (Inactive) added a comment - You're right, its defaults
          Hide
          Pedro Resende (Inactive) added a comment -

          Tested and approved by Q.A.

          Show
          Pedro Resende (Inactive) added a comment - Tested and approved by Q.A.

            People

            • Assignee:
              Unassigned
              Reporter:
              Damien Pobel (Inactive)
            • Votes:
              3 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 1 day Original Estimate - 1 day
                1d
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 days, 1 hour
                4d 1h

                  Agile