CORS draft

Note

You don't need to bother about this section if your application is living under the same domain as Drupal installation.

What and Why?

Cross-Origin Resource Sharing (CORS)open in new window in MDN Web Docs explains the concept very well.

In case the frontend application is served from a different domain, then we need to make sure the "Cross origin resource sharing" is enabled and configured properly.

Drupal configuration

# Configure Cross-Site HTTP requests (CORS).
  # Read https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
  # for more information about the topic in general.
  # Note: By default the configuration is disabled.
 cors.config:
   enabled: false
   # Specify allowed headers, like 'x-allowed-header'.
   allowedHeaders: []
   # Specify allowed request methods, specify ['*'] to allow all possible ones.
   allowedMethods: []
   # Configure requests allowed from specific origins.
   allowedOrigins: ['*']
   # Sets the Access-Control-Expose-Headers header.
   exposedHeaders: false
   # Sets the Access-Control-Max-Age header.
   maxAge: false
   # Sets the Access-Control-Allow-Credentials header.
   supportsCredentials: false

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

Common Pitfalls

Basic Auth breaks CORS

References

On Drupal.org

Opt-in CORS support | Change recordopen in new window

Others

Cross-Origin Resource Sharing (CORS)open in new window in MDN Web Docs

# CORS draft

# What and Why?

# Drupal configuration

# Common Pitfalls

# Basic Auth breaks CORS

# Cookie Policy Lax

CORS draft

What and Why?

Drupal configuration

Common Pitfalls

Basic Auth breaks CORS

Cookie Policy Lax