NelmioCorsBundle
NelmioCorsBundle copied to clipboard
nelmio
Error: Access-Control-Allow-Origin set to '*' while credential mode is 'include'
Hi,
So I'm using your bundle wich works perfectly fine on localhost but I can't make it work on my server.
I've got an Angular Front requesting my Symfony 4 API. On localhost, Access-Control-Allow-Origin header is correctly set:
Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: http://localhost:4200 Cache-Control: max-age=0, must-revalidate, private Connection: close Content-Type: application/json Date: Wed, 27 Jun 2018 08:37:54 +0000, Wed, 27 Jun 2018 08:37:54 GMT Host: 127.0.0.1:8000 Link: http://127.0.0.1:8000/api/docs.jsonld; rel="http://www.w3.org/ns/hydra/core#apiDocumentation" X-Powered-By: PHP/7.1.16
But after uploading it on my server and modifying my .env CORS_ALLOW_ORIGIN. I'm running into this error:
Failed to load https://API-URL.com/api/login_check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'https://FRONT-URL.com' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
And here is the response header:
Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Cache-Control: max-age=0, must-revalidate, private Connection: Keep-Alive Content-Length: 820 Content-Type: application/json Date: Wed, 27 Jun 2018 08:29:52 GMT Keep-Alive: timeout=5, max=100 Link: https://API-URL.com/api/docs.jsonld; rel="http://www.w3.org/ns/hydra/core#apiDocumentation" Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.6 Set-Cookie: my_cookie X-Powered-By: PHP/7.2.6
Do you have an idea why Access-Control-Allow-Origin: is set to '*' instead of 'https://FRONT-URL.com'?
Does it have anything to do with X-Powered-By?
Here is my nelmio_cors.yaml working on localhost:
nelmio_cors:
defaults:
allow_credentials: true
origin_regex: true
allow_origin: ['%env(CORS_ALLOW_ORIGIN)%']
allow_methods: ['GET', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE']
allow_headers: ['Content-Type', 'Authorization']
max_age: 3600
paths:
'^/': ~
I know, I checked this issue #99 . What I understand from it is that I should specify allow_origin directly in .yml and not in .env file. I tried it and it didn't work.
I've also checked the issue #57 wich didn't get any answer. That's why I opened this issue.
It's still not working and I can't figure out why.
Hi @icka69! Well we didn't use this library. We finally set our CORS headers directly in our server configuration.
You might find some other workaround here
@epiphaneSpecter open the link that returns the error in the browser to make sure you call the right link. If the link returns any error code like 404 Symfony won't call the bundle to check for cors.
@Guervyl of cource i call the good url.But i still have the same error
You should have in your config\packages\nelmio_cors.yaml:
nelmio_cors:
defaults:
origin_regex: true
allow_origin: ['%env(CORS_ALLOW_ORIGIN)%']
allow_methods: ['GET', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE']
allow_headers: ['Content-Type', 'Authorization']
expose_headers: ['Link']
max_age: 3600
paths:
'^/': null
And in .env file:
###> nelmio/cors-bundle ###
CORS_ALLOW_ORIGIN='^https?://(localhost|127\.0\.0\.1)(:[0-9]+)?$'
###< nelmio/cors-bundle ###
If you have this configuration and the link your calling is http[s]://localhost and you're getting the error. So you are missing something.