Global navigation

   Documentation Center
   eZ Studio & eZ Platform
     User Manual
     Technical Manual
   eZ Publish 4.x / legacy

eZ Publish (5.x)

eZ Publish 5.x | For eZ Platform & eZ Studio topics see Technical manual and User manual, for eZ Publish 4.x and Legacy topics see eZ Publish legacy

Skip to end of metadata
Go to start of metadata

eZ Publish ships with NelmioCorsBundle, a Symfony open-source bundle that provides support for CORS (Cross Origin Resource Sharing). The REST API is pre-configured to respond to such requests, as long as you customize the allowed origins as explained below.

What is CORS

Supported by most modern browsers, this W3C specification defines a set of custom headers that, under specific circumstances, allow HTTP requests between different hosts. The main use-case is execution of AJAX code from one site towards another.

A couple links about it:


Since CORS support is provided by a 3rd party bundle, we re-use the semantical configuration it provides. You can read more about it on the NelmiCorsBundle's README file.

The origin of a request is one of the main criteria for allowing or blocking a cross origin request. Such requests will come with an Origin HTTP header, automatically added by the browser, that gets approved/blocked by the server. By default, all cross origin requests will be blocked.

Granting an origin default access

To allow a specific host to execute cross-origin requests, you need to add this host to the nelmio_cors.default.allow_origin configuration array in config.yml. As an example, in order to allow requests from, one would add those lines to ezpublish/config/config.yml:

Granting CORS access to your own HTTP resources

The Cors bundle is of course perfectly safe to use for any non-eZ HTTP resource you would like to expose.
Follow the instructions in NelmioCorsBundle's configuration chapter.

1 Comment

  1. Unknown User (reneh)

    If you have problems getting CORS to work and you receive "Request-Allow-Origin: null" make sure you add 'allowedMethods' to your corresponding entry in rest_routes.yml:


    pattern: /pattern
    _controller: bundle.controller.default:dosomething
    allowedMethods: "OPTIONS,POST"
    methods: [POST,OPTIONS]