From 6e7a6741e15ad4429af5fd511b6021b50e5ed6c4 Mon Sep 17 00:00:00 2001
From: nod_ <nod_@598310.no-reply.drupal.org>
Date: Thu, 22 Aug 2024 22:00:44 +0200
Subject: [PATCH] Issue #2905848 by urvashi_vora, adeshsharma, shimpy,
 quietone, kkalashnikov, rishabh vishwakarma, sourabhjain, mikejoconnor,
 alexpott, pradhumanjain2311, MeenakshiG, mr.baileys, smustgrave, sic,
 larowlan, longwave, johnhanley: Improve CORS configuration documentation

---
 .../scaffold/files/default.services.yml       | 33 +++++++++++++++----
 sites/default/default.services.yml            | 33 +++++++++++++++----
 2 files changed, 52 insertions(+), 14 deletions(-)

diff --git a/core/assets/scaffold/files/default.services.yml b/core/assets/scaffold/files/default.services.yml
index 2c67f2a6097..ba416885b93 100644
--- a/core/assets/scaffold/files/default.services.yml
+++ b/core/assets/scaffold/files/default.services.yml
@@ -220,20 +220,39 @@ parameters:
   # Note: By default the configuration is disabled.
   cors.config:
     enabled: false
-    # Specify allowed headers, like 'x-allowed-header'.
+    # Specifies allowed headers and sets the Access-Control-Allow-Headers
+    # header. For example, ['X-Custom-Header']. See
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
     allowedHeaders: []
-    # Specify allowed request methods, specify ['*'] to allow all possible ones.
+    # Specifies allowed request methods and sets the
+    # Access-Control-Allow-Methods header. For example, ['POST', 'GET',
+    # 'OPTIONS'] or ['*'] to allow all. Note the wildcard is not yet implemented
+    # in all browsers. See
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
     allowedMethods: []
-    # Configure requests allowed from specific origins. Do not include trailing
-    # slashes with URLs.
+    # Configure requests allowed from specific origins and sets the
+    # Access-Control-Allow-Origin header. For example,
+    # ['https://www.drupal.org'] or ['*'] to allow any origin to access your
+    # resource. See
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
     allowedOrigins: ['*']
     # Configure requests allowed from origins, matching against regex patterns.
     allowedOriginsPatterns: []
-    # Sets the Access-Control-Expose-Headers header.
+    # Sets the Access-Control-Expose-Headers header. The default is false which
+    # means the header will not be set. To set the header use a comma delimited
+    # list within square brackets. For example, ['Content-Type', 'Expires'] or
+    # ['*'] to expose all headers. Setting exposedHeaders: ['*'] will result in
+    # a Access-Control-Expose-Headers: * response header. See
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers
     exposedHeaders: false
-    # Sets the Access-Control-Max-Age header.
+    # Setting Access-Control-Max-Age header value to '0' or false will omit this
+    # from the response. However, setting it to '-1' will explicitly disable
+    # caching. For example, setting the value to 600 will cache results of a
+    # preflight request for 10 minutes. See
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
     maxAge: false
-    # Sets the Access-Control-Allow-Credentials header.
+    # Sets the Access-Control-Allow-Credentials header if set to true. See
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
     supportsCredentials: false
 
   queue.config:
diff --git a/sites/default/default.services.yml b/sites/default/default.services.yml
index 2c67f2a6097..ba416885b93 100644
--- a/sites/default/default.services.yml
+++ b/sites/default/default.services.yml
@@ -220,20 +220,39 @@ parameters:
   # Note: By default the configuration is disabled.
   cors.config:
     enabled: false
-    # Specify allowed headers, like 'x-allowed-header'.
+    # Specifies allowed headers and sets the Access-Control-Allow-Headers
+    # header. For example, ['X-Custom-Header']. See
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers
     allowedHeaders: []
-    # Specify allowed request methods, specify ['*'] to allow all possible ones.
+    # Specifies allowed request methods and sets the
+    # Access-Control-Allow-Methods header. For example, ['POST', 'GET',
+    # 'OPTIONS'] or ['*'] to allow all. Note the wildcard is not yet implemented
+    # in all browsers. See
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods
     allowedMethods: []
-    # Configure requests allowed from specific origins. Do not include trailing
-    # slashes with URLs.
+    # Configure requests allowed from specific origins and sets the
+    # Access-Control-Allow-Origin header. For example,
+    # ['https://www.drupal.org'] or ['*'] to allow any origin to access your
+    # resource. See
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
     allowedOrigins: ['*']
     # Configure requests allowed from origins, matching against regex patterns.
     allowedOriginsPatterns: []
-    # Sets the Access-Control-Expose-Headers header.
+    # Sets the Access-Control-Expose-Headers header. The default is false which
+    # means the header will not be set. To set the header use a comma delimited
+    # list within square brackets. For example, ['Content-Type', 'Expires'] or
+    # ['*'] to expose all headers. Setting exposedHeaders: ['*'] will result in
+    # a Access-Control-Expose-Headers: * response header. See
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers
     exposedHeaders: false
-    # Sets the Access-Control-Max-Age header.
+    # Setting Access-Control-Max-Age header value to '0' or false will omit this
+    # from the response. However, setting it to '-1' will explicitly disable
+    # caching. For example, setting the value to 600 will cache results of a
+    # preflight request for 10 minutes. See
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age
     maxAge: false
-    # Sets the Access-Control-Allow-Credentials header.
+    # Sets the Access-Control-Allow-Credentials header if set to true. See
+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
     supportsCredentials: false
 
   queue.config: