Details
-
Bug
-
Resolution: Unresolved
-
High
-
None
-
None
Description
Trying to use API REST client with on the same domain works good while using it cross-domain (= CORS requests) seems to fail for several reasons :
- On the server side: when a preflight request is send, the response headers do not contains the Access-Control-Allowed-Methods despite of the nelmio_cors config. The original request is then rejected (405 method not allowed). This header seems to be overwritten by an empty value somewhere in ezPublishRestBundle
- On the client side: no session cookie is send within a request. This seems to come from a missing statement in CAPI.js :
XHR.withCredentials = true;
Note: reaching problem 2 is only possible by hacking ezPublishRestBundle to get rid of problem 1
Full details
Read this stackoverflow post for a full detailed explanation of the problem