We have an html form element on a page served in http.
The form will submit data to /login_check using https so we need to setup CORS.

nelmio_cors:
    defaults:
        allow_credentials: false
        allow_origin: []
        allow_headers: []
        allow_methods: []
        expose_headers: []
        max_age: 0
        hosts: []
    paths:
        '^/login_check$':
            allow_credentials: true
            allow_origin: ['*']
            allow_headers: ['Origin', 'X-Requested-With', 'Content-Type', 'Accept', 'Cache-Control']
            allow_methods: ['POST']
            expose_headers: []
            max_age: 0

There are two CORS providers registered in the CORS options resolver: \Nelmio\CorsBundle\Options\ConfigProvider and \eZ\Bundle\EzPublishRestBundle\CorsOptions\RestProvider

When the getOptions() of the latter returns (see https://github.com/nelmio/NelmioCorsBundle/blob/1.3.3/Options/Resolver.php#L46) the value of the $options['allow_methods'] will be replaces by an empty array in this case.

Otherwise the 'allowed_methods' previously set by \Nelmio\CorsBundle\Options\ConfigProvider in \Nelmio\CorsBundle\Options\Resolver::getOptions will be overwritten with value of $return['allow_methods'] due to array_merge()

Please notice, there's already a pull request for this:
https://github.com/ezsystems/ezpublish-kernel/pull/1132