Hi,

I ran into a problem earlier this day when trying to test the production environment with Symfony 3.1 and HttpCache. I use Symfony3 as a REST API and OAuth2 Provider (FOS, FOS).

Whenever I wanted to hit the API to get an access token on login, I got a CORS error saying that some headers weren't allowed. This is two chained requests:
OPTIONS /oauth/v2/token
POST /oauth/v2/token

The pre-flight one is processed by HttpCache which wants to know if it can cache it or not. So a sub request is send with the method GET and caught by the relevant controller... However, this request is not CORS compliant and calling this specific request with a GET makes it crash...

[2016-08-09 21:20:37] request.INFO: Matched route "{route}".{"route":"fos_oauth_server_token","route_parameters":{"_controller":"Odyssapp\\OAuthBundle\\Controller\\TokenController::tokenAction","_route":"fos_oauth_server_token"},"request_uri":"https://api-staging.odyssapp.com/oauth/v2/token","method":"GET"} []

It seems that this particular commit 1404607 is the one which changed the behaviour. OPTIONS is now a safe method which allows HttpCache to try to cache it. Is it possible to deactivate the cache for this kind of requests ? And let them pass directly to the backend ?

On another projects with lower versions of Symfony (2.8), all works fine. For now, I have deactivated HttpCache and everything is back to normal. I could downgrade to 3.1.2 but it will not be corrected if I do so :P

Thank you.