Class yii\filters\Cors

Inheritanceyii\filters\Cors » yii\base\ActionFilter » yii\base\Behavior » yii\base\Object
Implementsyii\base\Configurable
Available since version2.0
Source Code https://github.com/yiisoft/yii2/blob/master/framework/filters/Cors.php

Cors filter implements Cross Origin Resource Sharing.

Make sure to read carefully what CORS does and does not. CORS do not secure your API, but allow the developer to grant access to third party code (ajax calls from external domain).

You may use CORS filter by attaching it as a behavior to a controller or module, like the following,

public function behaviors()
{
    return [
        'corsFilter' => [
            'class' => \yii\filters\Cors::className(),
        ],
    ];
}

The CORS filter can be specialized to restrict parameters, like this, MDN CORS Information

public function behaviors()
{
    return [
        'corsFilter' => [
            'class' => \yii\filters\Cors::className(),
            'cors' => [
                // restrict access to
                'Origin' => ['http://www.myserver.com', 'https://www.myserver.com'],
                'Access-Control-Request-Method' => ['POST', 'PUT'],
                // Allow only POST and PUT methods
                'Access-Control-Request-Headers' => ['X-Wsse'],
                // Allow only headers 'X-Wsse'
                'Access-Control-Allow-Credentials' => true,
                // Allow OPTIONS caching
                'Access-Control-Max-Age' => 3600,
                // Allow the X-Pagination-Current-Page header to be exposed to the browser.
                'Access-Control-Expose-Headers' => ['X-Pagination-Current-Page'],
            ],

        ],
    ];
}

For more information on how to add the CORS filter to a controller, see the Guide on REST controllers.

Public Properties

Hide inherited properties

PropertyTypeDescriptionDefined By
$actions array Define specific CORS rules for specific actions yii\filters\Cors
$cors array Basic headers handled for the CORS requests. yii\filters\Cors
$except array List of action IDs that this filter should not apply to. yii\base\ActionFilter
$only array List of action IDs that this filter should apply to. yii\base\ActionFilter
$owner yii\base\Component|null The owner of this behavior yii\base\Behavior
$request yii\web\Request The current request. yii\filters\Cors
$response yii\web\Response The response to be sent. yii\filters\Cors

Public Methods

Hide inherited methods

MethodDescriptionDefined By
__call() Calls the named method which is not a class method. yii\base\Object
__construct() Constructor. yii\base\Object
__get() Returns the value of an object property. yii\base\Object
__isset() Checks if a property is set, i.e. defined and not null. yii\base\Object
__set() Sets value of an object property. yii\base\Object
__unset() Sets an object property to null. yii\base\Object
addCorsHeaders() Adds the CORS headers to the response yii\filters\Cors
afterAction() This method is invoked right after an action is executed. yii\base\ActionFilter
afterFilter() yii\base\ActionFilter
attach() Attaches the behavior object to the component. yii\base\Behavior
beforeAction() This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action. yii\filters\Cors
beforeFilter() yii\base\ActionFilter
canGetProperty() Returns a value indicating whether a property can be read. yii\base\Object
canSetProperty() Returns a value indicating whether a property can be set. yii\base\Object
className() Returns the fully qualified name of this class. yii\base\Object
detach() Detaches the behavior object from the component. yii\base\Behavior
events() Declares event handlers for the $owner's events. yii\base\Behavior
extractHeaders() Extract CORS headers from the request yii\filters\Cors
hasMethod() Returns a value indicating whether a method is defined. yii\base\Object
hasProperty() Returns a value indicating whether a property is defined. yii\base\Object
init() Initializes the object. yii\base\Object
overrideDefaultSettings() Override settings for specific action yii\filters\Cors
prepareHeaders() For each CORS headers create the specific response yii\filters\Cors

Protected Methods

Hide inherited methods

MethodDescriptionDefined By
getActionId() Returns an action ID by converting yii\base\Action::$uniqueId into an ID relative to the module yii\base\ActionFilter
headerize() Convert any string (including php headers with HTTP prefix) to header format like : X-PINGOTHER -> X-Pingother X_PINGOTHER -> X-Pingother yii\filters\Cors
headerizeToPhp() Convert any string (including php headers with HTTP prefix) to header format like : X-Pingother -> HTTP_X_PINGOTHER X PINGOTHER -> HTTP_X_PINGOTHER yii\filters\Cors
isActive() Returns a value indicating whether the filter is active for the given action. yii\base\ActionFilter
prepareAllowHeaders() Handle classic CORS request to avoid duplicate code yii\filters\Cors

Property Details

$actions public property

Define specific CORS rules for specific actions

public array $actions = []
$cors public property

Basic headers handled for the CORS requests.

public array $cors = ['Origin' => ['*'], 'Access-Control-Request-Method' => ['GET''POST''PUT''PATCH''DELETE''HEAD''OPTIONS'], 'Access-Control-Request-Headers' => ['*'], 'Access-Control-Allow-Credentials' => null'Access-Control-Max-Age' => 86400'Access-Control-Expose-Headers' => []]
$request public property

The current request. If not set, the request application component will be used.

public yii\web\Request $request null
$response public property

The response to be sent. If not set, the response application component will be used.

Method Details

addCorsHeaders() public method

Adds the CORS headers to the response

public void addCorsHeaders ( $response, $headers )
$response yii\web\Response
$headers array

CORS headers which have been computed

beforeAction() public method

This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action.

public boolean beforeAction ( $action )
$action yii\base\Action

The action to be executed.

return boolean

Whether the action should continue to be executed.

extractHeaders() public method

Extract CORS headers from the request

public array extractHeaders ( )
return array

CORS headers to handle

headerize() protected method

Convert any string (including php headers with HTTP prefix) to header format like : X-PINGOTHER -> X-Pingother X_PINGOTHER -> X-Pingother

protected string headerize ( $string )
$string string

String to convert

return string

The result in "header" format

headerizeToPhp() protected method

Convert any string (including php headers with HTTP prefix) to header format like : X-Pingother -> HTTP_X_PINGOTHER X PINGOTHER -> HTTP_X_PINGOTHER

protected string headerizeToPhp ( $string )
$string string

String to convert

return string

The result in "php $_SERVER header" format

overrideDefaultSettings() public method

Override settings for specific action

public void overrideDefaultSettings ( $action )
$action yii\base\Action

The action settings to override

prepareAllowHeaders() protected method

Handle classic CORS request to avoid duplicate code

protected void prepareAllowHeaders ( $type, $requestHeaders, &$responseHeaders )
$type string

The kind of headers we would handle

$requestHeaders array

CORS headers request by client

$responseHeaders array

CORS response headers sent to the client

prepareHeaders() public method

For each CORS headers create the specific response

public array prepareHeaders ( $requestHeaders )
$requestHeaders array

CORS headers we have detected

return array

CORS headers ready to be sent