NelmioCorsBundle

What's Changed

• Added support for Private Network Access https://github.com/nelmio/NelmioCorsBundle/pull/190
• Fixed default boolean values being overwritten in per-path configs https://github.com/nelmio/NelmioCorsBundle/pull/186
• Fixed deprecation notice in Symfony 7.1 https://github.com/nelmio/NelmioCorsBundle/pull/200

Full Changelog: https://github.com/nelmio/NelmioCorsBundle/compare/2.4.0...2.5.0

What's Changed

• Added Symfony 7 support (#193)
• Dropped Symfony 4 support (#193)
• Added bundle config (#184)

Full Changelog: https://github.com/nelmio/NelmioCorsBundle/compare/2.3.1...2.4.0

• Allow psr/log ^2 || ^3 by @michalbundyra in https://github.com/nelmio/NelmioCorsBundle/pull/182

Full Changelog: https://github.com/nelmio/NelmioCorsBundle/compare/2.3.0...2.3.1

• Downgraded CacheableResponseVaryListener's priority from 0 to -10 to ensure it runs after FrameworkExtraBundle listeners have set their cache headers (#179)
• Added optional logging support if you inject a Logger into the CorsListener you can get debug info about the whole CORS decision process (#173)
• Added support for setting expose_headers to a wildcard '*' which exposes all headers, this works as long as allow_credentials is not enabled as per the spec (#132)
• Added skip_same_as_origin flag (default to true which is the old behavior) to allow opting out of skipping the CORS headers in the response if the Origin matches the application's hostname (#178)
• Fixed ProviderMock having an invalid return type (#169)
• Dropped support for Symfony 4.3 and 5.0 to 5.3

• Added support for Symfony 6

• Fixed response for unauthorized headers containing a reflected XSS (https://github.com/nelmio/NelmioCorsBundle/pull/163)

• Added Vary: Origin header to cacheable responses to make sure proxies cache them correctly

• Reverted CorsListener priority change as it was interfering with normal operations. The priority is back at 250.

• BC Break: Downgraded CorsListener priority from 250 to 28, this should not affect anyone but could be a source in case of strange bugs
• BC Break: Removed support for Symfony <4.3
• BC Break: Removed support for PHP <7.1
• Added support for Symfony 5
• Added support for configuration via env vars
• Changed the code to avoid mutating the EventDispatcher at runtime
• Changed the code to avoid returning Access-Control-Allow-Origin: null headers to mark blocked requests

• Fixed preflight request handler hijacking regular non-CORS OPTIONS requests.

• Compatibility with Symfony 4.1
• Fixed preflight responses to always include Origin in the Vary HTTP header

• Compatibility with Symfony 4

• Fixed regression in 1.5.2

• Fixed bundle initialization in case paths is empty

• Fixed forced_allow_origin_value to always set the header regardless of CORS, so that requests can properly be cached even if they are not always accessed via CORS

• Added an forced_allow_origin_value option to force the value that is returned, in case you cache responses and can not have the allowed origin automatically set to the Origin header
• Fixed Access-Control-Allow-Headers being sent even when it was empty
• Fixed listener priority down to 250 (This may be BREAKING depending on what you do with your own listeners, but should be fine in most cases, just watch out).

• Fixed requirements to allow Symfony3

• Fixed a security regression in 1.3.2 that allowed GET requests to be executed from any domain

• Added an origin_regex option to allow defining origins based on regular expressions

• Remove 403 on non-OPTIONS requests that have an invalid origin header