Prevent adding Link headers for CORS preflight requets

[dunglas]

Q	A
Bug fix?	yes
New feature?	no
BC breaks?	no
Deprecations?	yes/no
Tickets	fixes #3262
License	MIT
Doc PR	n/a

Preflight requests cannot be accessed in JS, therefore settings the Link headers for Hydra and Mercure is useless for these requests Not setting them prevent the issues with invalid URLs being generated. This an alternative fix to #3262.

[teohhanhui]

I think this approach is risky. During my exploration from many years ago, I came upon this conclusion: nelmio/NelmioCorsBundle#54 (comment)

[teohhanhui]

Really, NelmioCorsBundle is breaking all OPTIONS requests, it should be fixed there...

[dunglas]

But is there a better short term solution as NelmioCors won't change soon? It doesn't hurt for these 2 specific headers to not be generated for preflight requests (actually, it will even help reducing servers' load). It's not a general solution, but for Mercure and Hydra it's good enough IMO.

[teohhanhui]

There are consequences for caching. We must add Vary: Access-Control-Request-Method now, which is really telling us that we're going in the wrong direction...

[teohhanhui]

For a short term solution, I'd rather we set the correct values in the RequestContext as suggested in nelmio/NelmioCorsBundle#125 (comment) (NelmioCorsBundle breaks it, we un-break it), instead of varying the response based on this header.

[dunglas]

I don't want to introduce such complexity (a new listener that we'll have to maintain BC for) just to fix this issue with a 3rd party library. And NelmioCors is already returning a different response for Preflight requests and non-preflight requests, so the potential cache issue already exists.

My proposal is to:

• "temporarily" merge this as a quick fix
• remove those checks if/when NelmioCors is fixed, or if Symfony includes native CORS support (it would be the best option IMHO)

[teohhanhui]

Thanks @dunglas! 🎉