From 36c60413479bf5e5ca7f0b88832d16ff4bfd4601 Mon Sep 17 00:00:00 2001
From: fberthereau <florian.berthereau@fulll.fr>
Date: Wed, 21 May 2025 10:46:01 +0200
Subject: [PATCH] Fix listener to allow request that don't need cors

---
 Security/Listener/CorsSecurityListener.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Security/Listener/CorsSecurityListener.php b/Security/Listener/CorsSecurityListener.php
index dcc6c33..0a5d5cb 100644
--- a/Security/Listener/CorsSecurityListener.php
+++ b/Security/Listener/CorsSecurityListener.php
@@ -43,6 +43,11 @@ public function onKernelRequest(RequestEvent $event): void
             return;
         }
 
+        // If Origin header was the same as the request host, we can skip CORS validation
+        if ($request->headers->get('Origin') === $request->getSchemeAndHttpHost()) {
+            return;
+        }
+
         // If the request has an Origin header and the CORS listener has not validated it, deny the request
         if (
             $request->headers->has('Origin')