Skip to content

Latest commit

 

History

History
110 lines (64 loc) · 4.07 KB

CHANGELOG.md

File metadata and controls

110 lines (64 loc) · 4.07 KB
Raw

Newer changelog entries can be found in the GitHub Releases

2.3.0 (2023-02-15)

  • Downgraded CacheableResponseVaryListener's priority from 0 to -10 to ensure it runs after FrameworkExtraBundle listeners have set their cache headers (#179)
  • Added optional logging support if you inject a Logger into the CorsListener you can get debug info about the whole CORS decision process (#173)
  • Added support for setting expose_headers to a wildcard '*' which exposes all headers, this works as long as allow_credentials is not enabled as per the spec (#132)
  • Added skip_same_as_origin flag (default to true which is the old behavior) to allow opting out of skipping the CORS headers in the response if the Origin matches the application's hostname (#178)
  • Fixed ProviderMock having an invalid return type (#169)
  • Dropped support for Symfony 4.3 and 5.0 to 5.3

2.2.0 (2021-12-01)

  • Added support for Symfony 6

2.1.1 (2021-04-20)

  • Fixed response for unauthorized headers containing a reflected XSS (#163)

2.1.0 (2020-07-22)

  • Added Vary: Origin header to cacheable responses to make sure proxies cache them correctly

2.0.1 (2019-11-15)

  • Reverted CorsListener priority change as it was interfering with normal operations. The priority is back at 250.

2.0.0 (2019-11-12)

  • BC Break: Downgraded CorsListener priority from 250 to 28, this should not affect anyone but could be a source in case of strange bugs
  • BC Break: Removed support for Symfony <4.3
  • BC Break: Removed support for PHP <7.1
  • Added support for Symfony 5
  • Added support for configuration via env vars
  • Changed the code to avoid mutating the EventDispatcher at runtime
  • Changed the code to avoid returning Access-Control-Allow-Origin: null headers to mark blocked requests

1.5.6 (2019-06-17)

  • Fixed preflight request handler hijacking regular non-CORS OPTIONS requests.

1.5.5 (2019-02-27)

  • Compatibility with Symfony 4.1
  • Fixed preflight responses to always include Origin in the Vary HTTP header

1.5.4 (2017-12-11)

  • Compatibility with Symfony 4

1.5.3 (2017-04-24)

  • Fixed regression in 1.5.2

1.5.2 (2017-04-21)

  • Fixed bundle initialization in case paths is empty

1.5.1 (2017-01-22)

  • Fixed forced_allow_origin_value to always set the header regardless of CORS, so that requests can properly be cached even if they are not always accessed via CORS

1.5.0 (2016-12-30)

  • Added an forced_allow_origin_value option to force the value that is returned, in case you cache responses and can not have the allowed origin automatically set to the Origin header
  • Fixed Access-Control-Allow-Headers being sent even when it was empty
  • Fixed listener priority down to 250 (This may be BREAKING depending on what you do with your own listeners, but should be fine in most cases, just watch out).

1.4.1 (2015-12-09)

  • Fixed requirements to allow Symfony3

1.4.0 (2015-01-13)

  • Added an origin_regex option to allow defining origins based on regular expressions

1.3.3 (2014-12-10)

  • Fixed a security regression in 1.3.2 that allowed GET requests to be executed from any domain

1.3.2 (2014-09-18)

  • Removed 403 responses on non-OPTIONS requests that have an invalid origin header

1.3.1 (2014-07-21)

  • Fixed path key normalization to allow dashes in paths
  • Fixed HTTP method case folding to support clients that send non-uppercased method names

1.3.0 (2014-02-06)

  • Added support for host-based configuration of the bundle

1.2.0 (2013-10-29)

  • Bumped symfony dependency to 2.1.0+
  • Fixed invalid trigger of the CORS check when the Origin header is present on same-host requests
  • Fixed fatal error when allow_methods was not configured for a given path

1.1.1 (2013-08-14)

  • Fixed issue when allow_origin is set to * and allow_credentials to true.

1.1.0 (2013-07-29)

  • Added ability to set a wildcard on accept_headers

1.0.0 (2013-01-07)

  • Initial release