Important
You are browsing upcoming documentation for version 7.0 of OroCommerce, scheduled for release in 2026. Read the documentation for the latest LTS version to get up-to-date information.
See our Release Process documentation for more information on the currently supported and upcoming releases.
Cross-Origin Resource Sharing (CORS)
SalesFrontendBundle automatically configures CORS headers to allow cross-origin requests to the OroCommerce application made from the Sales Frontend application.
CORS is automatically configured for the following URLs:
%oro_sales_frontend.routing_prefix%/oauth2/check-token%oro_sales_frontend.routing_prefix%/oauth2/refresh-token%oro_sales_frontend.routing_prefix%/user/login%oro_sales_frontend.routing_prefix%/user/logout
where %oro_sales_frontend.routing_prefix% is /admin/sales-frontend by default.
Note
Routing prefix can be changed via the bundle configuration, see more in Routing Prefix configuration.
CORS is configured by \Oro\Bundle\SalesFrontendBundle\EventListener\Kernel\SetCrossOriginResourceSharingPolicyListener that by default sets the following:
Allowed origins: the Sales Frontend application hosts (configured automatically as per the
oro_sales_frontend.app_base_urlsbundle configuration setting).Allowed methods:
GET,POSTAllowed credentials:
trueAllowed headers:
allExposed headers:
noneMax age:
600 seconds
Note
You can customize methods, headers and max age via corresponding setter methods in SetCrossOriginResourceSharingPolicyListener
Back-Office Web API
SalesFrontendBundle automatically configures CORS for Back-office Web API to ensure that the Sales Frontend application can communicate with it:
Allowed origins: the Sales Frontend application hosts (configured automatically as per the
oro_sales_frontend.app_base_urlsbundle configuration setting).Allowed credentials:
true
Other CORS settings of the Back-Office Web API remain unchanged.