New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(http): add flag/config to allow CORS requests, close #229 #293
base: main
Are you sure you want to change the base?
Conversation
you should be able to write a functional test as you would in Go but I believe we don't have a test case available to get you inspired |
@Kocal did you get a change to have a look for a test? |
@tucksaun not at all, I can try to take a look in the next days |
@Kocal I guess we are good, it's not worst than the actual situation :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we check for preflight requests as well?
@@ -212,6 +213,10 @@ func (s *Server) ProxyHandler(w http.ResponseWriter, r *http.Request) { | |||
|
|||
// Handler handles HTTP requests | |||
func (s *Server) Handler(w http.ResponseWriter, r *http.Request) { | |||
if s.AllowCORS { | |||
w.Header().Add("Access-Control-Allow-Origin", "*") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering if we should not add default CORS values (see what Gorillw used to have: https://github.com/gorilla/handlers/blob/546854cf1d61a016260b224e2526a29ff5b5c5ae/cors.go#L28-L32)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also be careful not to override header sent by the upstream app
I use What is the use case for this feature? For all application request I'd rather let the application handle the headers. This would be useful only for static files? Though we normally don't load static files over XHR/fetch. I think this should only be added to headers if symfony-cli is serving static file. If servering a request via php, let php handle the headers. |
Serving static files is one use case indeed. But you can also imagine running a JS development server alongside the CLI and both can be on different domain/port and this causes issues. But only in dev, so you might not want to (or not allowed to) introduce nelmio cors. |
Hi everyone, this PR is a proposal for #229.
A new flag
--allow-cors
has been added toserver:start
command, and to confighttp.allow_cors
in.symfony.local.yaml
.When allowing CORS, the header
Access-Control-Allow-Origin: *
is added to each response.Is there a way to add automated tests for that?
Thanks!