Developed with love by KnpLabs Hire us for your project!
211

NelmioCorsBundle

by nelmio

Adds CORS headers support in your Symfony2 application

NelmioCorsBundle

About

The NelmioCorsBundle allows you to send Cross-Origin Resource Sharing
headers with ACL-style per-url configuration.

If you want to have have a global overview of CORS workflow, you can browse
this image.

Features

  • Handles CORS pre-flight OPTIONS requests
  • Adds CORS headers to your responses

Installation

Require the nelmio/cors-bundle package in your composer.json and update your dependencies.

$ composer require nelmio/cors-bundle

Add the NelmioCorsBundle to your application's kernel:

public function registerBundles()
{
    $bundles = array(
        ...
        new Nelmio\CorsBundle\NelmioCorsBundle(),
        ...
    );
    ...
}

Configuration

The defaults are the default values applied to all the paths that match,
unless overriden in a specific URL configuration. If you want them to apply
to everything, you must define a path with ^/.

This example config contains all the possible config values with their default
values shown in the defaults key. In paths, you see that we allow CORS
requests from any origin on /api/. One custom header and some HTTP methods
are defined as allowed as well. Preflight requests can be cached for 3600
seconds.

nelmio_cors:
    defaults:
        allow_credentials: false
        allow_origin: []
        allow_headers: []
        allow_methods: []
        expose_headers: []
        max_age: 0
        hosts: []
        origin_regex: false
    paths:
        '^/api/':
            allow_origin: ['*']
            allow_headers: ['X-Custom-Auth']
            allow_methods: ['POST', 'PUT', 'GET', 'DELETE']
            max_age: 3600
        '^/':
            origin_regex: true
            allow_origin: ['^http://localhost:[0-9]+']
            allow_headers: ['X-Custom-Auth']
            allow_methods: ['POST', 'PUT', 'GET', 'DELETE']
            max_age: 3600
            hosts: ['^api\.']

allow_origin and allow_headers can be set to * to accept any value, the
allowed methods however have to be explicitly listed. paths must contain at least one item.

If origin_regex is set, allow_origin muts be a list of regular expressions matching
allowed origins. Remember to use ^ and $ to clearly define the boundaries of the regex.

Note: If you allow POST methods and have
http method overriding
enabled in the framework, it will enable the API users to perform PUT and DELETE
requests as well.

License

Released under the MIT License, see LICENSE.

Copyright (c) 2011 Nelmio

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
nelmio_cors:
defaults:
allow_credentials: false
allow_origin: []
allow_headers: []
allow_methods: []
expose_headers: []
max_age: 0
hosts: []
origin_regex: false
paths:

# Prototype
path:
allow_credentials: false
allow_origin: []
allow_headers: []
allow_methods: []
expose_headers: []
max_age: 0
hosts: []
origin_regex: false
  • Update CHANGELOG.md
    By Seldaek, 2 years ago
  • Add warning about regexes in allow_origin
    By Seldaek, 2 years ago
  • Merge pull request #36 from omnidan/origin-regex
    By Seldaek, 2 years ago
  • origin_regex option, allow_origin with regex
    By , 2 years ago
  • Fix regression, fixes #34, closes #35
    By Seldaek, 2 years ago
  • Update install instructionst
    By Seldaek, 2 years ago
  • Remove 403 on non-OPTIONS requests that have an invalid origin header
    By Seldaek, 2 years ago
  • Update changelog
    By Seldaek, 2 years ago
  • Merge pull request #27 from coopTilleuls/normalize-keys
    By Seldaek, 2 years ago
  • Merge pull request #28 from Nyholm/patch-1
    By Seldaek, 2 years ago
  • Added PHP 5.6 and HHVM to travis.yml
    By Nyholm, 2 years ago
  • Disable the normalization of keys for paths
    By meyerbaptiste, 2 years ago
  • Add warning about POST+http method override
    By Seldaek, 2 years ago
  • Merge pull request #20 from SimonSimCity/master
    By Seldaek, 2 years ago
  • HTTP method names are checked case-sensitive at the client
    By SimonSimCity, 2 years ago
  • Update changelog
    By Seldaek, 3 years ago
  • Update target version
    By Seldaek, 3 years ago
  • CS fixes
    By Seldaek, 3 years ago
  • Merge remote-tracking branch 'monbro/master'
    By Seldaek, 3 years ago
  • In case the config resolves to nothing, make sure we abort, refs #16
    By Seldaek, 3 years ago
  • CS fixes
    By Seldaek, 3 years ago
  • Merge remote-tracking branch 'bdunogier/abstract_cors_configuration'
    By Seldaek, 3 years ago
  • Update CorsListener.php
    By , 3 years ago
  • Abstracted cors configuration
    By bdunogier, 3 years ago
  • Add travis build
    By Seldaek, 3 years ago
  • Update changelog
    By Seldaek, 3 years ago
  • Bump requirement since we use Request::getSchemeAndHttpHost from sf 2.1
    By Seldaek, 3 years ago
  • Merge remote-tracking branch 'alex88/patch-1'
    By Seldaek, 3 years ago
  • Added same host check
    By alex88, 3 years ago
  • Fix invalid call when allow_methods is not set
    By Seldaek, 3 years ago