Published on October 17, 2023, a change recorded by John Herreño in Drupal core development highlights the integration of regex support for matching via "allowedOriginsPatterns" in Cross-Origin Resource Sharing (CORS). This development was introduced in the 10.2.x branch of Drupal core, commencing with version 10.2.0.

This change centers around the utilization of the asm89/stack-cors library, which, with version 1.2.0, permits the use of regex patterns to match against the origin header using the "allowedOriginsPatterns" configuration option. The implementation introduces increased flexibility for configuring CORS settings. For example, it facilitates projects that manage per-branch or per-ticket environments in sub-domains following specific naming patterns to establish a single encompassing rule. One illustration of this adaptability is evident in rules like "allowedOriginsPatterns: ['#^http:[a-z1-9-]*\.mysite.com$#'], allowing the inclusion of origins like "http://pr-123.mysite.com" while excluding others like "http://longermysite.com."

You May Like

Blog

How We Built a Newsletter System on Drupal with Mailchimp Integration

Blog

How We Built a Newsletter System on Drupal with Mailchimp Integration

Notably, default.services.yml files packaged with Drupal core now incorporate "allowedOriginsPatterns," albeit set as an empty array. This ensures the seamless operation of existing websites, whether they adhere to the default allowedOrigins or have customized their CORS settings to restrict access. This change impacts site builders, administrators, and editors, providing them with a more versatile tool for CORS configuration. While the implementation brings about fundamental changes, documentation updates, reviews, and related tasks remain pending, indicating ongoing efforts to make this feature more accessible and understandable for the Drupal community. 

Learn more here.