CORS headers aren't applied to the module response

Created on 25 October 2023, 8 months ago
Updated 9 May 2024, about 1 month ago

Problem/Motivation

The module doesn't work in decoupled application with WEB part having a separate domain. Chrome-based browsers blocks the response due CORS policies.

Steps to reproduce

- Configure CORS in Drupal
- Enable the module.
- Request non-existing file with "Origin" header with different domain
- "Access-Control-Allow-Origin" header missed in the response

Proposed resolution

CORS support is designed as middleware, and works correctly. The issue is in the module - it send raw "Location" header in the Event Subscriber. It breaks a correct works both of HTTP Foundation Symfony component (which implements Request event handling) and Stack Kernel (middleware support). Then `exit()` is used, that is really bad practice in any framework. In this case it breaks middleware correct work, and may have affection on Drupal correct work too.

Looks like raw headers must not be used with HTTP Foundation and Stack Kernel, and a ResponseInterface response should be returned from the Event Subscriber.

Remaining tasks

Choose correct priority to the Subscriber (I'll create a separate issue)

πŸ› Bug report
Status

Fixed

Version

2.1

Component

Code

Created by

πŸ‡§πŸ‡ΎBelarus dewalt

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.69.0 2024