Making cross-origin HTTP requests¶
eZ Platform ships with NelmioCorsBundle, an open-source Symfony bundle that provides support for CORS (Cross-Origin Resource Sharing). The REST API is pre-configured to respond to such requests, as long as you customize the allowed origins as explained below.
What is CORS?¶
Supported by most modern browsers, this W3C specification defines a set of custom headers that, under specific circumstances, allow HTTP requests between different hosts. The main use-case is execution of AJAX code from one site towards another.
More information about CORS
Since CORS support is provided by a third party bundle, we re-use the semantic configuration it provides. You can read more about it in NelmioCorsBundle's README.
The origin of a request is one of the main criteria for allowing or blocking a cross-origin request. Such requests will come with an Origin HTTP header, automatically added by the browser, that gets approved/blocked by the server. By default, all cross-origin requests will be blocked.
Granting an origin default access¶
To allow a specific host to execute cross-origin requests, you need to add this host to the
nelmio_cors.default.allow_origin configuration array in
As an example, in order to allow requests from
http://example.com you would add those lines to
1 2 3
nelmio_cors: defaults: allow_origin: [ 'http://example.com' ]
Changing configuration of NelmioCorsBundle for eZ Platform REST¶
The default configuration of NelmioCorsBundle for eZ Platform REST paths is set in the nelmio_cors.yml file.
To adapt these settings to your own needs you have to overwrite them in the
app/config/config.yml file under the same configuration path, for instance:
1 2 3 4 5 6
nelmio_cors: paths: '^/api/ezp/v2/': max_age: 3600 allow_credentials: false allow_origin: ['http://ez.no']
Granting CORS access to your own HTTP resources¶
NelmioCorsBundle is perfectly safe to use for any non-eZ HTTP resource you would like to expose. Follow the instructions in NelmioCorsBundle's configuration chapter.