GraphQLBundle has build-in support for Cross-Origin Resource Sharing (CORS), by default this option is disabled.

Can be enabled in the bundle config:

#config.yml

graphql:
    cors: true

The default configuration is enough for many scenarios using a GraphQL API, but if you need can change some basic settings.

cors:
    enabled:              true
    allow_credentials:    true
    allow_headers:

        # Defaults:
        - Origin
        - Content-Type
        - Accept
        - Authorization
    max_age:              3600
    allow_methods:

        # Defaults:
        - POST
        - GET
        - OPTIONS
    allow_origins:

        # Default:
        - *

If you need more control over CORS settings, use some advanced library like NelmioCorsBundle instead of build-in settings.