Search code examples
angularjssymfonycachingcorsnelmiocorsbundle

Symfony 3 HTTP Cache and Cross Origin Headers overwrite


I have a frontend AngularJS app that consumes backend API written in Symfony 3. I am using Symfony HTTP Cache to speed up some of my heavy responses.

I am in the testing phase, so my backend API adds Access-Control-Allow-Headers:"*" to all responses.

But, there is a problem with responses that are cached. In their header, Access-Control-Allow-Headers:"*" is overwritten with Access-Control-Allow-Headers:"example.com", where example.com is the client address that requested resource just before it was cached.

So, if I open my frontend app on the address www.example.com instead of address example.com I see following error in the firebug

XMLHttpRequest cannot load https://backend.com/tests/all. 
The 'Access-Control-Allow-Origin' header has a value 'http://example.com' 
that is not equal to the supplied origin. 
Origin 'http://www.example.com' is therefore not allowed access. 

I am using NelmioCorsBundle that adds CORS headers support to my Symfony3 application.


Solution

  • Try setting forced_allow_origin_value: * in your config:

     nelmio_cors:
        defaults:
            …
            forced_allow_origin_value: *
    

    Per the configuration docs:

    By default, the Access-Control-Allow-Origin response header value is the Origin request header value (if it matches the rules you've defined with allow_origin), so it should be fine for most of use cases. If it's not, you can override this behavior by setting the exact value you want using forced_allow_origin_value.

    So to send Access-Control-Allow-Origin: *, the exact value you want is literally *.