NelmioCorsBundle: XMLHttpRequest cannot load, Origin not allowed

Hi,

First, thanks for this wonderful bundle. I’ve got a problem when using it on my project, i have this error :

XMLHttpRequest cannot load http://www.website1.com/public-api/v1/tag/stat. Origin http://www.website2.com is not allowed by Access-Control-Allow-Origin.

My config.yml :

nelmio_cors:
    defaults:
        allow_credentials: true
        allow_origin: ['*']
        allow_headers: ['Origin', 'X-Requested-With', 'Content-Type', 'Accept']
        allow_methods: ['POST','GET','DELETE','PUT']
        expose_headers: ['*']
        max_age: 0
    paths:
      '^/public-api':
          allow_credentials: true
          allow_origin: ['*']
          allow_headers: ['Origin', 'X-Requested-With', 'Content-Type', 'Accept']
          allow_methods: ['POST','GET','DELETE','PUT']
          expose_headers: ['*']
          max_age: 0

I try ‘^/public-api’ or ‘^/public-api/’, same error.

I also try to enable the bundle on the root with this config, it’s work :

nelmio_cors:
    defaults:
        allow_credentials: true
        allow_origin: ['*']
        allow_headers: ['Origin', 'X-Requested-With', 'Content-Type', 'Accept']
        allow_methods: ['POST','GET','DELETE','PUT']
        expose_headers: ['*']
        max_age: 0
    paths:
      '^/': ~

I don’t want to enable it on the entire project, how can i do ? Thanks.

About this issue

Original URL
State: closed
Created 11 years ago
Comments: 23 (8 by maintainers)

Links to this issue

symfony - angular2/http get location header of 201 response - Stack Overflow

Commits related to this issue

Add test and make sure the origin returned is always the one sent, after validation, refs #9 — committed to nelmio/NelmioCorsBundle by Seldaek 11 years ago
Accept non-uppercase methods, refs #9 — committed to nelmio/NelmioCorsBundle by Seldaek 11 years ago

Most upvoted comments

I was trying to debug by simply printing out some stuff in the server side controller with print - so there never was a Symfony response sent. Therefore the listener could not add the necessary headers. Stupid me!

sprain on Jul 31, 2019

First of all if you just have one config you probably don’t need to tweak the defaults, just remove the defaults block. I would advise you set a max_age so that the browser can cache it too otherwise you end up with tons of OPTIONS requests to handle which slows things down. Also the expose_headers might not accept a ‘*’ value, I’m not sure but I don’t see anything that suggests it does. So all in all I’d try with this:

nelmio_cors:
    paths:
      '^/public-api':
          allow_credentials: true
          allow_origin: ['*']
          allow_headers: ['Origin', 'X-Requested-With', 'Content-Type', 'Accept']
          allow_methods: ['POST','GET','DELETE','PUT']
          expose_headers: []
          max_age: 3600

Apart from the expose_headers though I don’t know of anything that could cause it to fail like you’re seeing. Do you have any more details? Can you inspect the OPTIONS request in chrome to see what is returned as headers?

Seldaek on Jul 31, 2013

I just had the same problem and it was as @sprain said: There was a var_dump in the code. Check if you have that

djungowski on Jan 16, 2017

OK, closing this because it seems there is no real problem with the bundle. Feel free to say if that’s not the case though.

Seldaek on Mar 6, 2014