README.md

@@ -21,6 +21,8 @@ dbp_relay_core:
     messenger_transport_dsn: '%env(MESSENGER_TRANSPORT_DSN)'
 ```
 
+### Locking
+
 To handle [locking](https://symfony.com/doc/current/components/lock.html) you need to set above `lock_dsn` config,
 for example as `lock_dsn: '%env(LOCK_DSN)%'` with an environment variable `LOCK_DSN` in your `.env` file or by any other means.
 
@@ -36,6 +38,8 @@ LOCK_DSN=redis://redis:6379/
 LOCK_DSN=semaphore
 ```
 
+### Symfony Messenger
+
 For projects that also use the [Symfony Messenger](https://symfony.com/doc/current/components/messenger.html)
 you need to set above `messenger_transport_dsn` config, for example as `messenger_transport_dsn: '%env(MESSENGER_TRANSPORT_DSN)%'`
 with an environment variable `MESSENGER_TRANSPORT_DSN` in your `.env` file or by any other means.

src/DependencyInjection/DbpRelayCoreExtension.php

@@ -128,6 +128,13 @@ class DbpRelayCoreExtension extends ConfigurableExtension implements PrependExte
                     'allow_headers' => $allowHeaders,
                     'expose_headers' => $exposeHeaders,
                     'max_age' => 3600,
+                    // XXX: Try to work around a bug in Apache, which strips CORS headers from 304 responses:
+                    // https://bz.apache.org/bugzilla/show_bug.cgi?id=51223
+                    // In case the browser has a response cached from another origin, it will send the same etag,
+                    // Apache returns with a 304 without cors headers, the browser serves the cached request with
+                    // wrong 'access-control-allow-origin' and the fetch will fail with a CORS error.
+                    // By always sending '*' the cached response still happens to be valid in that case.
+                    'forced_allow_origin_value' => '*',
                 ],
             ],
         ]);