Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
To allow Ajax requests from a different domain and take advantages of the new REST module more globally.
W3C Draft: http://www.w3.org/TR/cors/
What: http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
Why: http://annevankesteren.nl/2012/12/cors-101
Who: http://caniuse.com/cors
How: Via https://github.com/asm89/stack-cors library
This header needs to be set everywhere (or pretty much everywhere).
Access-Control-Allow-Origin: *
Might be a REST module thing but putting on base system just in case.
Beta phase evaluation
Issue priority | This is highly important to headless setups (Angular, Ember, etc.) , which often run on a different domain than their backend. Without CORS they cannot actually talk to Drupal. Given that this seems major. |
---|---|
Issue category | Feature request: REST applications can still be built as native apps or javascript apps on the same domain, so this is not a bug; rather, it is an expansion of functionality. |
Prioritized changes | Not a prioritized change for 8.0.x. |
Disruption | There is no impact on existing developers. No APIs change as a result of this issue; we only add some more (disabled by default) properties to default.settings.yml |
Comment | File | Size | Author |
---|---|---|---|
#152 | interdiff.txt | 828 bytes | slasher13 |
#152 | 1869548-152.patch | 9.23 KB | slasher13 |
#150 | interdiff.txt | 2.69 KB | slasher13 |
#150 | 1869548-150.patch | 9.92 KB | slasher13 |
#142 | 1869548-141.patch | 9.22 KB | alexpott |
Comments
Comment #0.0
nod_add W3C link
Comment #1
nod_tagging
Comment #2
Crell CreditAttribution: Crell commentedI think this is a REST module thing in particular.
Anything that says "Allow: *" automatically makes me nervous from a security perspective. I'm not fully versed in CORS so I don't know if that's warranted, but tagging for the security team to get their opinion.
Comment #3
Damien Tournoud CreditAttribution: Damien Tournoud commentedThat makes total sense, but only makes sense from a security perspective if you use for those requests an authentication mechanism that is separate from the one used by the standard browser-based requests. For example, it works well for Facebook / Google / Twitter using the oAuth2 "Implicit grant" authorization flow.
It will not work from a security perspective if we cannot mandate cross-domain requests to use a different authentication mechanism.
This needs to be postponed until:
Comment #4
nod_Well I was just thinking about GET. What I had in mind was adding the header to all the entity that one can GET anonymously through the REST module. That'd be a start.
(edit) the HTTP methods used can be restricted with
Access-Control-Allow-Methods
. I'll try to see if I understand enough of Symfony to roll a quick & dirty patch.Comment #5
Damien Tournoud CreditAttribution: Damien Tournoud commentedAllowing GET while still respecting cookie authentication will open the site to information disclosure. That's just not acceptable.
Comment #6
nod_the omit credentials flag can be set so that cookies and HTTP auth will be ignored. A patch should help I'll try to find someone to walk me through a couple of things.Access-Control-Allow-Credentials
can be setComment #7
Damien Tournoud CreditAttribution: Damien Tournoud commentedAccess-Control-Allow-Credentials
defaults tofalse
, so this just returningAccess-Control-Allow-Origin: *
to GET requests seems sufficient.Comment #8
nod_An embarrassing patch that adds the headers to all pages, regardless of which page it is.
Needs to be improved a lot, that's as far as my symfony knowledge goes. Need to check the route so that we're in one that the REST module is responsible for.
Comment #9
andypostImplementation looks good, suppose we needs a unit test for that
Comment #10
Damien Tournoud CreditAttribution: Damien Tournoud commented#8 is just a first attempt :) We only want the header for the REST module routes.
Comment #11
Wim LeersThe CDN module does this automatically for publicly available static files. (Necessary to e.g. make fonts in Firefox work if they're hosted on a different domain.) My experience is limited to that extremely simple case, so I don't think I can contribute much to this discussion.
Comment #12
Anonymous (not verified) CreditAttribution: Anonymous commentedRegarding #6-#7, if the wildcard is used, the Access-Control-Allow-Credentials is restricted to false. That is to say, even if it is set to true by another event subscriber, that will be ignored because the wildcard prevents credentials from being included on cross-origin requests (see Hacking Web Apps section on HTML5).
Not necessarily a problem for us, but just wanted to make sure it was noted here.
Comment #13
Damien Tournoud CreditAttribution: Damien Tournoud commented@linclark: yes,
Access-Control-Allow-Credentials
being false is both by design and desirable.Just an additional note here: we also need to explicitly allow some (response) headers with
Access-Control-Expose-Headers
. (At the minimum, the Location header.)Also, the CORS implementation of most if not all of the current browsers is severely broken in many fun and interesting ways.
Comment #14
Anonymous (not verified) CreditAttribution: Anonymous commentedI wasn't saying that we would design it to be false, but rather that this is a restriction outside our control if we use the wildcard.
If someone does want to enable it to be true, they would have to unsubscribe this subscriber and add their own which determines the Origins to allow. This seems reasonable.
Comment #15
Wim Leers#13: links for interesting & fun brokenness? :)
Comment #16
Anonymous (not verified) CreditAttribution: Anonymous commentedAlso, RE: #10:
Is there any security reason for doing this? In Hacking Web Apps, it says:
I looked at the resource sharing check algorithm in the spec and it seemed to me like it was on a per-resource basis. Additionally, Anne VK's response in a mailing list thread seems to indicate it is per-resource. However, I did find an RFC which seems to indicate the same thing as Hacking Web Apps. From RFC 6454:
So if we depend on per-resource differentiation (e.g. only adding the header to REST module routes) for security purposes, it seems like we'd be going against best practice. However, it might make sense to do it for another reason.
Comment #16.0
Anonymous (not verified) CreditAttribution: Anonymous commentedlink fail
Comment #17
kim.pepperThis may be related to CORS: Chrome needs to make preflight requests using OPTIONS http verb, but I can't see any support for OPTIONS in the rest module.
Comment #18
kim.pepperMore info: https://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#preflight-request
Comment #19
kim.pepperI've ported the contrib CORS module to D8 over here: https://github.com/previousnext/drupal_cors
Comment #20
yanniboi CreditAttribution: yanniboi commentedI'm building a production site in d8 (I know I'm crazy ;P ) and I need CORS, so this is what I have so far...
Please comment!
Comment #21
andypostdeprecated
Comment #22
yanniboi CreditAttribution: yanniboi commentedOh snap! I was using that for debugging. That shouldn't be in there!
Comment #23
nod_Adding realted issue. Might be possible to implement this with https://github.com/asm89/stack-cors
Comment #24
dawehner@yanniboi, kim.pepper
Your implementation sure work due to the flexibility of the kernel events.
Using the stack approach would thought have a couple of advantages:
There is quite some non-straightforward code here
Yes, you can do that already, but using the stack is a formal definition to ensure that you just handle on the request/HTTP level and nothing else, so you are sure that you can be replaced by a different HTTP speaking object, like apache.
Comment #25
kim.pepper@dawehner. Looks good. I'd like to know whether there is support for getting this into core before I'd start integrating with the contrib CORS module.
Comment #26
-enzo- CreditAttribution: -enzo- commentedI'm creating a new version of my library https://github.com/enzolutions/backbone.drupal to enable use Headless Drupal using front end in a different frontend domain.
The problem I found with this kind of CORS request explained about is related with how jQuery Ajax execute the first request, because before to do a GET|PUT|DELETE|POST|PATCH request an OPTIONS request is executed to validate request methods accepted for backend server[1].
The current status of Rest module doesn't implement the OPTIONS, so my first approach was implement that method in class Drupal\rest\Plugin\rest\resource\EntityResource using the following code
After that extra function in class EntityResource the method was available and double checked with module RestUI https://www.drupal.org/project/restui, but this solution wasn't enough because I can't enable OPTIONS method without authentication and jQuery trigger the method without CRC or Basic Auth method even if you provide in call ( I will create a issue in RestUI to request the option to enable a method without authentication).
So to resolve I follow the recommendation of @dawehner in comment #24 to use .htacess to enable CORS and intercept the OPTIONS request to avoid Drupal reject the request because doesn't have the proper Basic Auth credentials, the patch is attached but let me list the changes.
1. Rule to avoid Drupal process the options request
2. Rules to enable CORS and send the proper headers even if interception occurs
I recommend to change * for your frontend domain i.e frontend-example.com
[1] http://api.jquery.com/jquery.ajax/
Comment #27
damiankloip CreditAttribution: damiankloip commentedWe can implement this in stack by just pulling in the stack library and adding a few lines to our core.services.yml:
If we can do this, it's more preferable to an htaccess solution? Although no doubt that works. Also, any of those parameters could be easily overridden.
Comment #28
Crell CreditAttribution: Crell commentedPart of the question, I think, is whether we want this enabled by default or just easily enabled. And if easily enabled, how?
Comment #29
dawehnerIt would be great if someone who actually deal with headless drupal could test whether this patch works. On top of that some basic integration test would be cool, so that we really know that CORS is running.
so do we really want to run this after page caching? just thinking loud
Comment #30
nod_by default enabled.
Comment #31
dawehnerWell even this is really nice, having it on .htaccess itself is much faster, if you are honest but well you can still
replace the middleware and use apache, if you know what you do.
Comment #32
dmouseHi, I change this patch to create a wrapper to create an instance of Cors class.
Comment #34
damiankloip CreditAttribution: damiankloip commentedDo you have an interdiff? and why do we need that? It seems the Drupal namespaced Cors wrapper has no benefit at all?
Comment #35
dmouseThe wrapper is necessary for libraries that are implemented if they change, you can also put a more level configuration, an interface that allows you to manage the domains that can access your content.
Comment #36
dawehnerI'm sorry but we don't wrap exteral libraries like that atm.
You could easily put this domain configuration into the container as well, no need for another class.
Comment #37
damiankloip CreditAttribution: damiankloip commentedAlso, our dependencies would not get just get updated if there was such a big change. If that was the case it would be broken either way.
Comment #38
dawehner@dmouse
On top of that, by definition stack implementations have one inderface, that will not change.
Comment #39
damiankloip CreditAttribution: damiankloip commentedRight.
@dmouse, any work that allow this to be configurable should be a follow up issue.
Here is a reroll of #27.
Comment #40
dawehnerAgreed. If you can come up with good usecase, sure, try to use one.
Comment #43
alexpottI really don't think that allowing all origins should be the default behaviour. I would expect some discussion of security on this issue and considering the nature of the change and the fact we are enabling it by default I would expect a change record.
Comment #45
Crell CreditAttribution: Crell commentedI would agree that default-allow-world is a bad idea. So how do we want to enable allowing certain origins, and/or all origins? Ie, what's the API we want to expose for that?
Options I see are:
1) Edit .htaccess
2) Edit services.yml (can we do it there?)
3) Write a compiler pass
If we can make it work option 2 would be my preference.
Comment #46
dixon_Plain re-roll of the patch from #39.
Comment #47
dawehnerTried to a) add test coverage b) does solution 2)
Comment #49
jeqqUpdated the patch to work on latest Drupal 8 HEAD, fixed the broken tests.
Comment #50
Crell CreditAttribution: Crell commentedBefore we keep rolling patches, does anyone have an opinion on #45? What patches do we even want to be rolling here?
Comment #51
ygerasimov CreditAttribution: ygerasimov commentedI would vote for possibility to control these headers per route. For example by adding special tag or something to the route and then this route will get all headers according to configuration of cors.
Comment #52
dixon_@Crell I would definitely vote for option 2. It makes total sense to configure generic components with container parameters. This way you can override the settings both manually and modules can do it automatically, by writing their own compiler pass.
@ygerasimov I like that idea. But this is something that contrib could implement with a special compiler pass. I would vote for this initial core implementation to be simple and straight forward, e.g. just using one central container parameter like the patch does now.
Comment #53
dawehnerJust to be clear, the new default is basically the default behaviour without CORS. Maybe we should look inside settings.php.
In case there is a
$base_url
set we could allow that by default?Comment #54
Crell CreditAttribution: Crell commentedIf we use the Stack lib, then the services.yml approach would likely involve setting a parameter that is checked by a compiler pass, which will then register/not register the middleware and configure it. Eg, a parameter that specifies what the legal origins are. If none or not set, then just don't enable the middleware.
Alex, would that be sufficiently tight, security-wise?
Comment #55
alexpottre #54 that sounds fine
Comment #56
dawehnerThere we go.
Comment #58
dawehnerThere we go.
Comment #59
Crell CreditAttribution: Crell commentedAh, German idioms. :-) Try just "Configure Cross-Site HTTP requests (CORS)"
I don't understand this sentence. Do you mean "by default CORS is disabled"? (That's what it looks like from line 62.)
Other than those doc points I think this is good.
Also assigning to Dries for when it gets RTBCed; it has a new library so he has to commit it. Updating summary for beta considerations.
Comment #60
dawehnerRerolled and adapted for the docs suggestions of @Crell (yeah there has been some grammer lacks here)
Comment #61
Crell CreditAttribution: Crell commentedDidn't fix the #59.1.
Comment #62
damiankloip CreditAttribution: damiankloip commentedThis seems to just be asserting the same thing twice.
[] == false
is truefalse == false
is trueDo you want to just remove the second lot and use assertIdentical on the first? Actually maybe assertIdentical on all the options there?
Comment #63
dawehnerAdressed both points.
Comment #64
Crell CreditAttribution: Crell commentedGift for the headless folks...
Comment #65
effulgentsia CreditAttribution: effulgentsia commentedLooks like security was addressed in #7 and #55. Here's also a -do-not-test patch sans core/vendor and composer.lock for easier review of the changes to Drupal.
Comment #66
effulgentsia CreditAttribution: effulgentsia commentedAdded link to the https://github.com/asm89/stack-cors library in the issue summary.
Comment #67
Dries CreditAttribution: Dries commentedI think this is valuable, but it is ultimately a feature request. It's not a bug, because REST applications can still be built as native apps or javascript apps on the same domain. We're not adding new features at this point of the release so I'm postponing this to 8.1.x. Would love to see it in 8.1.x though. In the meantime, this can work perfectly well as a contributed module, right?
Comment #68
xjmUpdating the summary based on #67.
Comment #69
alexpottThere is also apparently another method not involving a module... http://enzolutions.com/articles/2014/09/08/how-to-enable-cors-requests-a...
Comment #70
dawehnerFair, hopefully someone does it.
Its just sad because that issue would not had any disruption.
Comment #71
chr.fritschI've created a module for that. Any improvments are welcome
https://www.drupal.org/sandbox/chr.fritsch/2460591
Comment #72
clemens.tolboom@chr.fritsch there is already a module https://www.drupal.org/project/cors with a pending #2328985: Drupal 8 port for CORS
Comment #73
chr.fritschThanks for the info
Comment #74
decibel.places CreditAttribution: decibel.places commentedI am interested in this because I am writing a book about CORS, including a chapter about using CORS in popular CMSs.
Here are some thoughts.
jQuery Supports Limited CORS
Drupal 8 already supports CORS via jQuery in core/assets/jquery/jquery.js|jquery.min.js
support.cors = !!xhrSupported && ( "withCredentials" in xhrSupported );
However, CORS via jQuery is very limited, it does not support preflight without additional custom code. Preflight is often needed for requests that are not simple, and can improve security.
Adding CORS Headers With the CORS Module
The CORS module is a handy way to map headers required for CORS to Drupal paths. I think its most appropriate use is when integrating a service or API that requires addition of CORS headers, without additional custom coding.
An interesting feature of the CORS module is the
<mirror>
token that will add the domain from a request that sends the Origin header to the Access-Control-Allow-Origin header. This is like a slightly limited use of the wildcard, because requests without the Origin header will not be allowed.CORS Should Be Implemented With Custom Code
In most cases, CORS should be implemented very carefully and with additional logic to validate and process the requests, including preflight when needed. This assumes custom code, probably in a custom module. In a custom implementation, the headers should be managed in that code, which makes the CORS module unnecessary for these cases.
Limited Support for Multiple Domains in the Access-Control-Allow-Origin Header
The W3C specification defines a space-separated list of allowed domains. However, multiple allowed domains are not yet supported in all clients.
That is the reason many people suggest using the wildcard "*" but that allows requests from ALL domains. For security additional processing of requests, and perhaps preflight, are needed when using the wildcard.
Recommendations for Including the Access-Control-Allow-Origin Header in Drupal Core
Therefore if the Access-Control-Allow-Origin header is to be added in Drupal core, I recommend:
For a complete implementation of CORS in Drupal core, configuration adding additional headers when needed should be considered.
What About JSON-P?
In some cases cross-origin requests may be implemented with JSON-P. It is much simpler, and less secure, than using CORS.
Comment #75
pkosenko CreditAttribution: pkosenko commentedThere is a Drupal 7 CORS custom module that doesn't look like it is being assiduously maintained or updated to Drupal 8 on the module site.
However, someone else on Github has contributed an update for Drupal 8. I would suggest that it be posted over to the DRUPAL archive as the
https://www.drupal.org/project/cors (Drupal 7)
https://github.com/piyuesh23/cors (Drupal 8) I added a fix for D8 Beta 10
Someone should contact piyuesh23 about moving it over.
Comment #76
keboca CreditAttribution: keboca as a volunteer commented@decibel.places thanks it is useful, also @pkosenko thanks for a heads-up. I was getting the same error reported
https://github.com/piyuesh23/cors/issues/4
However your patch is good enough, I am working with Drupal 8.0.0-beta14 then I updated implementation of "CorsConfigForm":
Added the following lines:
And overwrite the way to retrieve configuration:
$config = $this->configFactory->getEditable('cors.config');
Comment #77
constrict0r CreditAttribution: constrict0r commented0n Drupal-8.0.0 beta 16 I applied the patch made by @pkosenko and it worked perfectly.
Comment #78
dawehnerWell, this won't land in 8.1.x, well at lest the next version has a chance for that.
Comment #79
clemens.tolboom@pkosenko + @keboca + @constrict0r as we have a patch in #63 it would be better to reroll the patch instead of pointing to remote sites. Regarding contrib cors see #2328985: Drupal 8 port for CORS
Comment #80
andypostI'd better make it into module to easy override from contrib and make configurable
Comment #81
jeqqThis is a reroll, doesn't contain changes from #80
Comment #82
dawehnerLet's ask the testbot about it!
Comment #84
dawehnerWe should add the additional library in its issue and integrate it in here.
This way we can iterate quicker.
Comment #85
jeqqFixed patch #81
Comment #87
dawehnerLet's try it again.
Note: We are using a kernel test now.
Comment #89
AlxVallejo CreditAttribution: AlxVallejo commentedAny reason why we need the installed.json file in the patch? That's where it's failing. According to some sources, this file shouldn't be committed to the repository since it's essentially a documentation of what packages are installed on your instance.
Comment #90
AlxVallejo CreditAttribution: AlxVallejo commentedHere's the same patch without the installed.json.
One note is that if I set exposedHeaders to true, I get a 403 on just about every request.
Comment #91
AlxVallejo CreditAttribution: AlxVallejo commentedComment #93
AlxVallejo CreditAttribution: AlxVallejo commentedComment #94
dawehnerI'll try it as well.
Comment #96
dawehnerLet's try a binary one.
Comment #98
dawehnerNo idea why this doesn't apply to be honest.
Comment #99
Wim LeersIs this not blocked on #2237231: Support OPTIONS request ?
Comment #100
dawehnerAfaik OPTIONS requests are not always requested, just in one of many cases, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
Comment #102
dawehnerReroll ...
Comment #104
dawehnerThere we go
Comment #105
Wim LeersOh, hah! Nice fix :)
I think somebody else with deeper CORS knowledge/experience should RTBC this. But the patch looks great to me. Only very minor remarks.
core.services.yml
?This one is a bit confusing. The default value is an array, but we must specify a sole string to allow all methods? Or is it
['*']
that you should specify here?We have documentation for the other settings, shouldn't we also have them for these?
Comment #106
dawehnerHere are some minor adaptions ...
Comment #107
Wim LeersOn second thought, in #105 I said:
… but this patch doesn't actually enable CORS by default. This is just to make it possible to enable CORS. That's a big step forward. So let's do this.
This will still need a change record. And ideally, it would be documented. I think https://www.drupal.org/documentation/modules/rest/start would be a good place.
Comment #110
dawehnerUpdated
Comment #111
andypoststill needs work for change record
Comment #112
Wim LeersI started a CR myself: https://www.drupal.org/node/2715637
That also made me realize the current issue title is fairly misleading
Comment #113
catchI had a quick read through https://github.com/asm89/stack-cors/blob/master/src/Asm89/Stack/CorsServ...
The non-strict in_array() comparisons don't look great, especially given the configuration apparently allows an array of methods/origins as well as boolean true for both - I can see a badly resolved merge conflict or similar leading to someone having 'true' in their options array.
Not sure about adding this to core.services.yml without anything using it. For example why wouldn't REST module add it itself if that's where we're going to use it in core?
If we take the configuration from services.yml, if multiple modules want to use CORS (say one for REST and one for AJAX), how do the different configuration needs between the two work? Or is it entirely up to the site administrator to configure this correctly, in which case we're back to the original question of why put it in core.services.yml and undoing it with a compiler pass vs. just letting them configure in a project/site-specific YAML.
Just in general, having this in a middleware doesn't seem like the most useful place. It allows requests to be rejected very early if they're invalid, but that's by far the least common case - so we'll be running this code on requests that don't care about this at all.
Also moving this out of rest module to base system for now.
Comment #114
Wim LeersBecause it lives on a different level than REST. REST = routes + controllers. CORS is something you may want to apply to things other than REST too. CORS is something more fundamental than REST.
That is the thing: it needs to be configured. That's why it's opt-in. We can't automate this, because it has security consequences. So we need developers to configure it to suit their needs.
To my understanding,
core.services.yml
contains all of the default configuration, site-specific YAML files can then override container parameters, i.e. any container parameter a site-specific YAML file specifies is one they override.This is why
sites/default/default.services.yml
duplicates a lot of container parameters that live incore.services.yml
, but it adds documentation. And it's why Drupal's default installation doesn't actually copysites/default/default.services.yml
tosites/default/services.yml
. It's an opt-in process. It's exactly the same here.Having this in a middleware may add CORS headers to some responses unnecessarily, but it does make reasoning about it far simpler: it means that we'll be setting the same CORS headers on all responses. Which indeed may be overkill/unnecessary in some cases, but the lack of conditionality, and the declarativeness we get instead make it super simple to reason about:
. That's simple.If you instead have to whitelist on a per-URL, per-route or per REST-resource basis, that makes the configuration a whole lot more complex, with no apparent gain. Because if you trust a certain domain
Also, quoting #16:
Comment #115
dawehnerSo what we do on normal requests is the following:
and
so for normal HTML requests we don't use it anyway. Its hard to see how more minimal it could be.
Comment #116
dawehnerIn general I don't want to fight for that external library, I just think that actual configuration via CMI doesn't give us that much.
Comment #117
Wim LeersPer #114, #115 and #116, back to RTBC.
Comment #119
Wim LeersRetesting.
Comment #120
catchDiscussed in irc with dawehner.
I have a general concern that middlewares are becoming the new hook_boot(). The usage here is OK, but I have a list as long as my arm of horrible things done in hook_boot() in 7.x and earlier, and the more middlewares we get in core, the more likely it seems we'll get them used as an antipattern in contrib and custom code. Is there high level documentation of them on d.o? If not a follow-up to add some would be good.
Could this not be reversed so it adds the middleware if it's enabled, rather than removing it if it's disabled? dawehner also brought this up in irc.
Comment #121
Wim Leers:D
Effectively they indeed are the new
hook_boot()
. Is this really an anti-pattern? Sometimes there are things you need to do at that stage. What really matters, is that they're as fast as possible, and rely on as few and as cheap services as possible. Thedevel
module's middleware for example is awful, because it starts the entire configuration service… which OTOH seems totally acceptable for that particular module, since it shouldn't ever run on production anyway.So, my question: what do you want to see happen? Documentation explaining the purpose of middlewares, the caveats, what to pay attention to?
That sounds very sensible.
Comment #122
catchYes it's this last bit that's important. I've seen hook_boot() calling drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL)
Yes something like this. Also the distinction from kernel request events (which I also don't like for a lot of the things they get used for - those are the new hook_init()).
Comment #123
Wim LeersDo you have thoughts on where this documentation should live? I don't see any child page of https://www.drupal.org/developing/api/8 that is relevant (yes, because our documentation is saddeningly incomplete).
Comment #124
andypostLooks #2303673: Implement stackphp; cleanup handlePageCache() and preHandle() missed to add change record and docs
Meta is closed also #2492955: [meta] PSR-7 support
As I see there's only https://www.drupal.org/node/2409067 about middleware
Comment #125
catch#123 no I had a feeling there was none at all, that's what this issue reminded me of.
Comment #126
Wim LeersAlright, I'll take on working on that documentation and on the reversing mentioned in #120. Then this can go back to RTBC. This is so tantalizingly close.
@dawehner, if you want to work on the reversing, feel free. I'll take on the documentation in any case.
Comment #127
dawehnerI was about to just do it, but then I realized something
a) For better discoverability (use for example
ag "- { name: http_middleware }"
its worth to have the service insidecore.services.yml
IMHOb) I thought about dropping
by default, but still the discoverability.
c) The service pass itself used a
enabled
flag, rather than adisabled
flag, so the default behaviour is to not add it to the container, even if the config is dropped entirely.Given that on runtime we skip the middleware by default, I think the additional discoverability is a good point for keeping it as it is now.
Feel free to disagree.
Comment #128
Wim Leers#127:
a) Agreed.
b) Indeed, that'd result in a partial/incomplete service definition being declarative in a YAML file, and then some logic to make it "complete" in PHP. That's confusing.
c) Right:
@catch referred to this exact code in #120 too:
So, catch has a general concern about adding middlewares, and them becoming the new
hook_boot()
. This patch won't actually make that worse, if anything, it makes it better, because the middleware will only effectively be present in the container ifcors.config.enabled === true
. But that's easily overlooked, is what catch's concern is. To properly explain this, I think we need documentation anyway. Wrote that just now: https://www.drupal.org/developing/api/8/middleware.That still leaves a matter of preference. Either:
core.services.yml
and PHP code to remove it — pro: better discoverability, con: feels a bit strange logically (always add, conditionally remove)Given that in Drupal we tend to favor discoverability/DX over logical/semantical purity, I think @dawehner is right. So, back to RTBC.
Comment #130
chr.fritschRerolled
Comment #131
Wim LeersComment #133
Wim LeersFailed in unrelated
Config.Drupal\config\Tests\ConfigImportAllTest
. Retesting, back to RTBC.Comment #135
Wim LeersNow a random fail in
SqlContentEntityStorageSchemaIndexFilledTest
. Sigh.Comment #137
catchComment #138
Wim LeersThanks! Published CR: https://www.drupal.org/node/2715637.
Comment #139
xjmComment #140
alexpottThis composer change is not right - it's a downgrade for no reason. I'm reverting this patch because we shouldn't be doing this here.
Comment #142
alexpottHere's the fixed composer patch.
The best method to add a new dependency to core/composer.json is a bit obscure.
Doing the weird second step cause composer to sort out the merge and do an install.
Comment #143
alexpottComment #144
alexpottMy fixes to this patch have little to do the actual functionality - that has been rtbc before :) so... rtbc'ing the issue.
Comment #145
jibranThis version doesn't support symfony 3.0 also see https://github.com/asm89/stack-cors/issues/26. This will hinder our performance in #2712647: Update Symfony components to ~3.2. We should consider changing it to dev-master here like #2776105: Update asm89/stack-cors for Symfony 3 compatibility and revert changes introduced by #1869548.
Comment #146
dawehner@jibran
But we have a way to solve that ... IMHO updating to symfony 3 is not a requirement for 8.2. 2.8 will be supported for longer.
Comment #147
alexpottI think we should ask for an official release - see https://github.com/asm89/stack-cors/issues/26 and get that before re-committing. Symfony 3 is a known and big target. Committing dev-master dependencies is not a good idea.
Comment #148
alexpottBut using a reference is better than just a value copy because exception traces are not always something small.
Comment #149
slasher13Comment #150
slasher13Comment #151
alexpottSo #150 bumped the version to 1.0.0 - nice.
These are completely unrelated changes - not sure why they occur but they don't for me.
Comment #152
slasher13Changes occur after composer self-update. Can you confirm it?
Comment #153
alexpott@slasher13 not for me. My composer version is Composer version 1.2.0 2016-07-19 01:28:52. The procedure I follow is outlined in #142.
Comment #154
slasher13I could reproduce my problem.
Comment #155
alexpott@slasher13 nice sleuthing. It's one of the tricky things about composer.lock diffs - people have got too used to stuff changing for no reason. I think it's best for changes to be the minimal change - which #152 has. Nice.
Comment #156
dawehnerIt seems to be that @alexpott and @slasher13 agree on #152, so this is ready again, nice!
Thank you @slasher13 for jumping in!
Comment #157
xjmYay!
This most likely needs to go in before the beta commit freeze (tomorrow) to be in 8.2.x, so tagging for visibility in the RTBC queue.
Comment #158
alexpottCommitted bc83416 and pushed to 8.2.x. Thanks!
Comment #163
Sam152 CreditAttribution: Sam152 as a volunteer and at PreviousNext commentedJust noting this was really really hard to override from a config object. See #2794109: Find a way to replace the container parameter in a better way..
Re: andypost, #80, looks like we had the same thought :)
Comment #164
cilefen CreditAttribution: cilefen as a volunteer commented