Api-platform: corsAllowOrigin doesn't set *

Question

Oke so back to https://api-platform.com :)

So I currently have corsAllowOrigin: "*" #to allow all origins in my helm values file (as per docs). To make sure that the propper headers are bieng set on return values.

Now I would expect (as per docs) that the Access-Control-Allow-Origin: would now go to "*" however it goes to Access-Control-Allow-Origin: null. That's of course a bit annoying because it prevent react native apps of accessing the API.

Question here, is this a bug? Am I using the wrong values? Or overlooking something?

Answer 1

As the others have said, CORS is handled by nelmio/cors-bundle. If you don't wish to modify env files, the actual package configuration for it is documented on its GitHub page https://github.com/nelmio/NelmioCorsBundle.

The configuration you'd want to modify is the allow_origin configuration, which can have a default value or can be configured based on the path of the current request. Pretty neat.

In config/packages/nelmio_cors.yaml:

nelmio_cors:
        defaults:
            ...
            allow_origin: []
            ...
        paths:
            '^/api/':
                ...
                allow_origin: ['*']
                ...
            '^/':
                ...
                allow_origin: ['^http://localhost:[0-9]+']
                ...

Answer 2

Sets .env file with:

###> nelmio/cors-bundle ###
CORS_ALLOW_ORIGIN=['*']
###< nelmio/cors-bundle ###

Answer 3

By default, API Platform uses nelmio cors and the default config use the environment variable CORS_ALLOW_ORIGIN.

With that you can allow any url with this config in your .env (or .env.local) with CORS_ALLOW_ORIGIN=^https?://.*?$