Problem

There is no description and code example that shows where the middleware must / can be inserted into a Mezzio application.

Suggestion

The basic usage with adding middleware and creating the configuration can be described in a quick start guide. A new page and navigation entry is needed for this.

...that is all: the function setAllowedMethods() is missing in AbstractConfiguration.

Documentation Needed

Summary

We do lacking documentation on how to configure per-route CORS options when not using the ApplicationConfigInjectionDelegator.

When using Application::route or one of the wrapper methods, it is not that obvious that the return value is the Route and thus it is possible to set the per-route options using Route::setOptions.

Bug Report

Summary

Documentation examples hint that allowed origins shall be defined with hostnames or domains but the extension expexts URI strings in a fnmatch pattern format. This is misleading and examples do not work.

Current behavior

Since documentation hints a wrong allowed origin URI format, extension does not work as expected.

How to reproduce

Use any simple domain as allowed origin, it will not match and will fall back to a 403 error.

Expected behavior

Either documentation should have examples with proper URL format.

Bug Report

Summary

Current behavior

While trying to use cors from installation page I see error below

Unable to resolve service "Psr\Http\Message\UriFactoryInterface" to a factory; are you certain you provided it during configuration?
triggered here https://github.com/mezzio/mezzio-cors/blob/1.1.x/src/Service/CorsFactory.php#L15
It seems one would have to specify a UriFactory mapped to this interface

How to reproduce

Expected behavior

Bug Report

Summary

The route configuration constant RouteConfigurationInterface::PARAMETER_IDENTIFIER contains expressive.cors and thus still contains the pre-migration value which I actually missed when porting to mezzio.

Current behavior

Constant value reflects expressive.cors.

How to reproduce

n/a

Expected behavior

Constant value reflects mezzio.cors.
When the constant value is changed, we should also grab the old route parameter expressive.cors from the configuration until the next major version.

Bug Report

Summary

Access-Control-Max-Age Currently returns an empty value if not set via the configuration. This does not adhere to the specification in which it should be either a deltatime (vumeric value) or be omitted.

Current behavior

If the Access-Control-Max-Age is not set, the preflight response still contains the Header but does not include a value.

How to reproduce

Omit the Access-Control-Max-Age Configuration entry for the global config and (if existing) the route specifig config. The OPTIONS Request will still contain the header but with no value.

Expected behavior

If no value is set, the header should be ommited from the response (or if easier for the implementation) contain a default value.

Bug Report

Summary

When a request is made from an origin that its scheme is not http(s), the pre flight request fails and we understand that this may be caused by the URI factory

Current behavior

When our Origin is capacitor://xyz.com, pre flight request fails

How to reproduce

Make a preflight request with a non http(s) scheme

Expected behavior

Preflight and CORS request should proceed as this is a valid URI

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Repository problems

These problems occurred while renovating this repository. View logs.

• WARN: Use matchDepNames instead of matchPackageNames

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

• Lock file maintenance

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update dependency phpunit/phpunit to v11

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Bug Report

Mezzio\Cors\Exception\InvalidOriginValueException raised in file /vendor/mezzio/mezzio-cors/src/Exception/InvalidOriginValueException.php in line 21 with message: Provided Origin "capacitor://localhost" is invalid.

Summary

While running IOS Simulator in XCode, An Exception is raised from the mezzio-cors package.

Current behavior

The exception is raised on every request comes from the cliend side (XCode Simulator). mezzio-cors claims that capacitor://localhost is invalid origin

How to reproduce

in pipeline.php

use Mezzio\Cors\Middleware\CorsMiddleware;

$app->pipe(CorsMiddleware::class);

Expected behavior

Should be able to add the capacitor://localhost to the allowed origins

return [
    ConfigurationInterface::CONFIGURATION_IDENTIFIER => [
        'allowed_origins' => ['capacitor://localhost', 'http://localhost'],
        'allowed_headers' => ['Content-Type', ' Access-Control-Allow-Headers', 'Authorization'],
        'allowed_max_age' => '3600',
        'credentials_allowed' => true,
        'exposed_headers' => []
    ],

PS. This is my first bug report ;)

Bug Report

It seems that the explicit option does currently not work and will always be overwritten.

Summary

Explicit route options are not possible and thus project config will always overwrite route config.

Current behavior

Setting the explicit option on a route is not possible, as it will always be overwritten by the ConfigurationLocator

How to reproduce

The example provided in "Enable Project Merging" should already fail, as "explicit" is overwritten due to

private function explicit(array $allowedMethods): bool
{
    return $allowedMethods === CorsMetadata::ALLOWED_REQUEST_METHODS;
}

failing if $allowedMethods is i.e. only 'GET'

Expected behavior

If explicit is set on a route it should not be overwritten.

PHP declaration in composer.json feels wrong:

"php": "^7.4 || ^8.0 || ~8.1.0"

it should either be "^7.4 || ~8.0.0 || ~8.1.0" like in other mezzio packages to control PHP 8.x support or "^7.4 || ^8.0" to show that any 8.x is supported

Not really a bug but a smelly declaration