Important
You are browsing upcoming documentation for version 7.1 of OroCommerce, scheduled for release in 2027. Read the documentation for the latest LTS version to get up-to-date information.
See our Release Process documentation for more information on the currently supported and upcoming releases.
Application Base URLs
The oro_sales_frontend.app_base_urls configuration option tells the OroCommerce back-office where the Sales Frontend application is hosted. The bundle uses this information to configure:
CORS - allows the Sales Frontend application to make cross-origin requests to the back-office login endpoints and the Back-Office Web API.
CSP - permits the back-office login pages to be embedded in an iframe of the Sales Frontend application.
Cookies - sets
SameSite=None,Secure=true, andPartitioned=trueon the session and OAuth2 access-token cookies when the Sales Frontend application is hosted on a different origin.
Note
Only absolute URLs (those containing :// or starting with //) trigger cross-origin configuration. Relative URLs are treated as same-origin and do not affect CORS, CSP, or cookie flags.
Configuration via YAML
The default approach is to set app_base_urls directly in the bundle configuration. When absolute URLs are present, the cross-origin cookie defaults (SameSite, Secure, Partitioned) are pre-calculated at compile time and stored as Symfony container parameters. CORS and CSP settings are always resolved at runtime from the app_base_urls parameter value regardless of how it is configured.
Same-origin example (Sales Frontend served under the same domain as back-office):
Cross-origin example (Sales Frontend served on a separate domain):
Warning
Once app_base_urls is set to a plain array in YAML, the ORO_SALES_FRONTEND_APP_BASE_URLS environment variable is ignored at runtime. To keep the ability to reconfigure the URLs without rebuilding the Symfony container, omit app_base_urls from the YAML configuration and use only the environment variable instead (see Configuration via Environment Variable (Runtime) below).
When an absolute URL is present, the bundle automatically pre-calculates the following cookie defaults at compile time (stored as Symfony container parameters):
access_token.cookie_secure: trueaccess_token.cookie_samesite: noneaccess_token.cookie_partitioned: truesession.cookie_secure: truesession.cookie_samesite: nonesession.cookie_partitioned: true
After changing the YAML configuration, clear the Symfony cache:
php bin/console cache:clear
Configuration via Environment Variable (Runtime)
The ORO_SALES_FRONTEND_APP_BASE_URLS environment variable allows the base URLs to be changed without rebuilding the Symfony container. The value must be a JSON-encoded array of URL strings.
Or with multiple URLs:
Note
When the environment variable is used instead of a plain YAML array, cookie cross-origin flags and back-office API CORS origins are applied at runtime by the SalesFrontendCookieSettings provider and the AddSalesFrontendOriginsToApiCorsListener. No Symfony cache rebuild is required after changing the environment variable value.
Note
When ORO_SALES_FRONTEND_APP_BASE_URLS is not set, the value falls back to the app_base_urls value from the bundle configuration (['/sales-frontend'] by default).
Sub-Path Deployments
The environment variable is particularly useful in OroCloud environments where a common path prefix (such as /_bcd) is used for Sales Frontend deployments. Instead of rebuilding the container, the path can be reconfigured at runtime:
Note
Only absolute URLs (those containing :// or starting with //) enable cross-origin configuration. A bare path like /_bcd/sales-frontend is treated as same-origin and does not affect CORS, CSP, or cookie flags.
Verifying the Active Value
To inspect the resolved parameter value at runtime:
php bin/console debug:container --parameter=oro_sales_frontend.app_base_urls
When the environment variable is not set, the output shows the compile-time default. When the variable is set, the output shows the env-var processor expression (the actual value is resolved at runtime).