Drupal Core Introduces Regex Support for CORS via 'allowedOriginsPatterns'

Latest Update

Published on October 17, 2023, a change recorded by John Herreño in Drupal core development highlights the integration of regex support for matching via "allowedOriginsPatterns" in Cross-Origin Resource Sharing (CORS). This development was introduced in the 10.2.x branch of Drupal core, commencing with version 10.2.0.

This change centers around the utilization of the asm89/stack-cors library, which, with version 1.2.0, permits the use of regex patterns to match against the origin header using the "allowedOriginsPatterns" configuration option. The implementation introduces increased flexibility for configuring CORS settings. For example, it facilitates projects that manage per-branch or per-ticket environments in sub-domains following specific naming patterns to establish a single encompassing rule. One illustration of this adaptability is evident in rules like "allowedOriginsPatterns: ['#^http:[a-z1-9-]*\.mysite.com$#'], allowing the inclusion of origins like "http://pr-123.mysite.com" while excluding others like "http://longermysite.com."

Notably, default.services.yml files packaged with Drupal core now incorporate "allowedOriginsPatterns," albeit set as an empty array. This ensures the seamless operation of existing websites, whether they adhere to the default allowedOrigins or have customized their CORS settings to restrict access. This change impacts site builders, administrators, and editors, providing them with a more versatile tool for CORS configuration. While the implementation brings about fundamental changes, documentation updates, reviews, and related tasks remain pending, indicating ongoing efforts to make this feature more accessible and understandable for the Drupal community. 

Learn more here.

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.

Related People

Advertisement Here

Call for Support