Ibexa DXP Discussions

Community discussion forum for developers working with Ibexa DXP

CORS-Preflight failed

        allow_origin: ['*']
        allow_methods: ['POST', 'PUT', 'GET', 'DELETE', 'OPTIONS']
            allow_origin: ['*']
            allow_credentials: true
            allow_methods: ['POST', 'PUT', 'GET', 'DELETE', 'OPTIONS']
            expose_headers: []

I have a problem with nelmio cors and preflight request.
Currently every browser preflight request (OPTIONS request) is answered with “405 - method not allowed”.
Can someone help me here?

1 Like

Hello. We actually use this bundle to uniformly handle OPTIONS request for every REST endpoint.

I’ve tried to provide the above config and unfortunately I cannot reproduce the problem you’ve described - for me an OPTIONS request to randomly chosen eZ Platform REST API endpoint returns HTTP 200 response with a proper Allow header.

Please note that some web servers disallow most of the HTTP methods except GET and POST, so your case might be just a web server configuration.

If not, please specify what exactly you’re trying to achieve - which endpoint(s) you’ve sent preflight request to and what would be expected result. Also worth mentioning, that since we override default Nelmio behavior some things might not be supported with eZ Platform. But that depends on your specific use case :slight_smile:

Kind regards,
Andrew Longosz
eZ Systems

In an blank Installation the CORS failed bacause the Access-Control-Allow-Origin is null.
This is the answer:
Access-Control-Allow-Credentials true
Access-Control-Allow-Headers authorization, accept, content…en, destination, x-siteaccess
Access-Control-Allow-Origin null
Access-Control-Max-Age 60

If i add the "allow_origin: [’’]" the OPTIONS-Request Returns an 405. The Apache-Server accepts the OPTIONS Request.
allow_origin: [’

1 Like

to continue the development we make a dirty:
header(“Access-Control-Allow-Headers: Content-Type, origin, authorization, accept, Cookie, x-csrf-token,x-http-method-override, location, Destination”);
header(“Access-Control-Allow-Methods: POST, PATCH, GET, OPTIONS, DELETE, PUT, HEAD, MOVE”);
header(“Access-Control-Allow-Origin: http://localhost:4200”);
header(“Access-Control-Allow-Credentials: true”);
header(“Access-Control-Max-Age: 3600”);
so the server lets it through

but this can’t be the solution