Drupal 8.2 introduced Opt-in CORS support. Using the documentation in default.services.yml I cannot get it to work. Neither can a lot of other people, as can be seen from the comments in https://www.drupal.org/node/2715637.

Is something missing from the documentation?

Tried on Drupal 8.3.7 and Apache 2.4.25-3ubuntu2.3, with this configuration:

cors.config:
enabled: true
# Specify allowed headers, like 'x-allowed-header'.
allowedHeaders: ['x-csrf-token','authorization','content-type','accept','origin','x-requested-with']
# Specify allowed request methods, specify ['*'] to allow all possible ones.
allowedMethods: ['*']
# Configure requests allowed from specific origins.
allowedOrigins: ['*']
# Sets the Access-Control-Expose-Headers header.
exposedHeaders: false
# Sets the Access-Control-Max-Age header.
maxAge: 1000
# Sets the Access-Control-Allow-Credentials header.
supportsCredentials: false

Comments

gaele created an issue. See original summary.

cilefen’s picture

cilefen CreditAttribution: cilefen as a volunteer commented
Category: Support request » Bug report

Hi @gaele: Just a tip: you can get more attention on an issue by relating it from the original, which is in this case #1869548: Opt-in CORS support. I've just done that.

selva.swamy@gmail.com’s picture

selva.swamy@gmail.com CreditAttribution: selva.swamy@gmail.com as a volunteer and commented
Component: documentation » base system

Updating the component as I am facing same issue. Even though I update the services.yml as per https://www.drupal.org/node/2715637 I could not get to work.

Do we need CORS enabled on the server we are trying to access? I am trying to access a YouTube video via a embed URL

mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
CreditAttribution: mr.baileys at SQLI - Belgium commented
Category: Bug report » Support request
Status: Active » Postponed (maintainer needs more info)

Do we need CORS enabled on the server we are trying to access?

It all depends on what exactly you are trying to do, and what error or issue you are experiencing. @kswarmy, for Youtube embeds, you might want to look into adding "&origin=http://example.com" to the embed src.

Moving this issue to the support queue. If you still experience issues, please provide information about what you are trying to do (for example, provide a curl request with request and response headers), and what you were expecting versus what actually happened.

Version: 8.3.7 » 8.3.x-dev

Core issues are now filed against the dev versions where changes will be made. Document the specific release you are using in your issue comment. More information about choosing a version.

Version: 8.3.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Branches prior to 8.8.x are not supported, and Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

zterry95’s picture

zterry95 CreditAttribution: zterry95 at DAVYIN Internet Solutions / 戴文信息科技有限公司 commented

The "Access-Control-Allow-Origin" display is tricky.
For example, allowedOrigins in services.yml is "http://localhost:3000", It works when you request from http://localhost:3000.
A quick test script is :

curl -H"Origin: http://localhost:3000" \
  -X GET --verbose \
  http://drupal8-example.site:8080/en

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev
cilefen’s picture

cilefen CreditAttribution: cilefen as a volunteer commented
Status: Postponed (maintainer needs more info) » Closed (outdated)

I am closing this support request because there have been no recent comments.

The Drupal Core issue queue is not the ideal place for support requests. Consider other sources of support.