We have an html form element on a page served in http.
The form will submit data to /login_check using https so we need to setup CORS.
There are two CORS providers registered in the CORS options resolver: \Nelmio\CorsBundle\Options\ConfigProvider and \eZ\Bundle\EzPublishRestBundle\CorsOptions\RestProvider
When the getOptions() of the latter returns (see https://github.com/nelmio/NelmioCorsBundle/blob/1.3.3/Options/Resolver.php#L46) the value of the $options['allow_methods'] will be replaces by an empty array in this case.
Otherwise the 'allowed_methods' previously set by \Nelmio\CorsBundle\Options\ConfigProvider in \Nelmio\CorsBundle\Options\Resolver::getOptions will be overwritten with value of $return['allow_methods'] due to array_merge()
Please notice, there's already a pull request for this: