Include allowedOriginsPatterns in default.services.yml (regex matching for CORS)

The Needs Review Queue Bot → tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.

Darren Oh → made their first commit to this issue’s fork.

I'm going to bump this RTBC to get some more eyes on this. I have been using this allowedOriginsPatterns in production for the better part of a year, with a note in my codebase that this is undocumented in Drupal core. I think this should go into core to let people know it's an available option for them.

The Needs Review Queue Bot → tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

This does not mean that the patch needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.

Need a patch/mr against 11.x

Tried to rebase but ran into too many issues, so I cherry-picked the commits and created a new MR. I have updated the CorsIntegrationTest: the original test in this issue was written against asm89/stack-cors 1.x, while 11.x uses 2.x. The latter no longer returns http status code 403 for disallowed origins (see #3128982: Upgrade asm89/stack-cors to ^2.0 to fix cacheability → ).

Tweaked the CR a bit for 10.2

I'm triaging RTBC issues → . I read the IS and the comments. I didn't find any unanswered questions.

However, I do not see any comments that someone has reviewed the code.

I am setting back to NR for a code review.

I have reviewed the code many times. It is not necessary for someone to post a comment saying, "I have reviewed the code," for the RTBC status to be valid. Please do not unnecessarily block progress on issues.

The change is effectively one line of sample code and the additional test coverage is comprehensive.

Committed and pushed 08b493a202 to 11.x and d9986292c5 to 10.2.x. Thanks!

Also published the change record.

Woohoo, thanks @longwave!

Automatically closed - issue fixed for 2 weeks with no activity.