Symfony FosRest and NelmioCors A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin'

Question

I using FOSRestBundle with Nelmio Cors Bundle and have some endpoints, /api/name_end_points and I need for some server have authority to call this endpoints. Now I have error in console

XMLHttpRequest cannot load http://mydomain.com.com/api/endpoint?value=test&value1=test. A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://localhost:3000' is therefore not allowed access.

This my config:

fos_rest:
param_fetcher_listener: true
body_listener: true
format_listener: true
view:
    view_response_listener: 'force'
    formats:
        xml: true
        json : true
    templating_formats:
        html: true
    force_redirects:
        html: true
    failed_validation: HTTP_BAD_REQUEST
    default_engine: twig
routing_loader:
    default_format: json

nelmio_cors:
defaults:
    allow_credentials: false
    allow_origin: []
    allow_headers: []
    allow_methods: []
    expose_headers: []
    max_age: 0
    hosts: []
    origin_regex: false
paths:
    '^/':
        allow_origin: ['*']
        allow_headers: ['*']
        allow_methods: ['POST', 'PUT', 'GET', 'DELETE']
        max_age: 3600

How to correct config NelmioCorsBundle if I want access true for some server for my endpoints ? Like this

            allow_origin: ['*aog.jobs*', '*localhost*']

and deleted default ?

Answer 1

You need to explicitly state that the origin (as specified in the Origin request header) is allowed to access the resource by copying the value of the Origin request header into the Access-Control-Allow-Origin response header (instead of hard coding *).

Be very sure you want to make this globally accessible to the world before you do so (or perform a test on the value of the Origin header to make sure it is OK).