Allow access from every subdomain NelmioCorsBundle

Question

On my project, I have a subdomain for every client. I want to set in the nelmio_cors.yaml file rule that will allow every subdomain to access my /api

In my code I have:

File: /config/packages/prod/nelmio_cors.yaml

nelmio_cors:
    defaults:
        allow_credentials: false
        allow_origin: ['https://default.com']
        allow_methods: ['GET', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE']
        allow_headers: ['Content-Type', 'Authorization', 'Access-Control-Allow-Origin']
        max_age: 3600
    paths:
        '^/api/':
            allow_origin: ['https://default.com','*.example.com', '^(https?://.+\.example\.com(?::\d{1,5})?)$']
            allow_headers: ['Accept', 'X-Custom-Auth', 'Content-Type', 'Authorization', 'cache-control', 'x-requested-with', 'Access-Control-Allow-Origin']
            allow_methods: ['POST', 'GET', 'PUT', 'DELETE', 'PATCH', 'OPTIONS']
            allow_credentials: true
            max_age: 3600

So, I tried as in example *.example.com and ^(https?://.+\.example\.com(?::\d{1,5})?)$ but that doesn't work. If I put * it works, but then I allowed access from everywhere.

Answer 1

Wildcards are not supported but origin_regex option are. This configuration works for me and allow all subdomains of mydomain.com:

nelmio_cors:
defaults:
    origin_regex: true
    allow_origin: ['^https://(.+.)?mydomain.com']
    allow_methods: ['GET', 'OPTIONS', 'POST', 'PUT', 'PATCH', 'DELETE']
    allow_headers: ['Content-Type', 'Authorization']
    expose_headers: ['Link']
    max_age: 3600
paths:
    '^/': null