PHP Class yii\filters\Cors

Make sure to read carefully what CORS does and does not. CORS do not secure your API, but allow the developer to grant access to third party code (ajax calls from external domain). You may use CORS filter by attaching it as a behavior to a controller or module, like the following, php public function behaviors() { return [ 'corsFilter' => [ 'class' => \yii\filters\Cors::className(), ], ]; } The CORS filter can be specialized to restrict parameters, like this, MDN CORS Information php public function behaviors() { return [ 'corsFilter' => [ 'class' => \yii\filters\Cors::className(), 'cors' => [ restrict access to 'Origin' => ['http://www.myserver.com', 'https://www.myserver.com'], 'Access-Control-Request-Method' => ['POST', 'PUT'], Allow only POST and PUT methods 'Access-Control-Request-Headers' => ['X-Wsse'], Allow only headers 'X-Wsse' 'Access-Control-Allow-Credentials' => true, Allow OPTIONS caching 'Access-Control-Max-Age' => 3600, Allow the X-Pagination-Current-Page header to be exposed to the browser. 'Access-Control-Expose-Headers' => ['X-Pagination-Current-Page'], ], ], ]; } For more information on how to add the CORS filter to a controller, see the Guide on REST controllers.
Since: 2.0
Author: Philippe Gaultier ([email protected])
Inheritance: extends yii\base\ActionFilter
Show file Open project: yiisoft/yii2 Class Usage Examples

Public Properties

Property Type Description
$actions define specific CORS rules for specific actions
$cors Basic headers handled for the CORS requests.
$request the current request. If not set, the request application component will be used.
$response the response to be sent. If not set, the response application component will be used.

Public Methods

Method Description
addCorsHeaders ( Response $response, array $headers ) Adds the CORS headers to the response
beforeAction ( $action )
extractHeaders ( ) : array Extract CORS headers from the request
overrideDefaultSettings ( Action $action ) Override settings for specific action
prepareHeaders ( array $requestHeaders ) : array For each CORS headers create the specific response

Protected Methods

Method Description
headerize ( string $string ) : string Convert any string (including php headers with HTTP prefix) to header format like : * X-PINGOTHER -> X-Pingother * X_PINGOTHER -> X-Pingother
headerizeToPhp ( string $string ) : string Convert any string (including php headers with HTTP prefix) to header format like : * X-Pingother -> HTTP_X_PINGOTHER * X PINGOTHER -> HTTP_X_PINGOTHER
prepareAllowHeaders ( string $type, array $requestHeaders, array &$responseHeaders ) Handle classic CORS request to avoid duplicate code

Method Details

addCorsHeaders() public method

Adds the CORS headers to the response
public addCorsHeaders ( Response $response, array $headers )
$response yii\web\Response
$headers array CORS headers which have been computed

beforeAction() public method

public beforeAction ( $action )

extractHeaders() public method

Extract CORS headers from the request
public extractHeaders ( ) : array
return array CORS headers to handle

headerize() protected method

Convert any string (including php headers with HTTP prefix) to header format like : * X-PINGOTHER -> X-Pingother * X_PINGOTHER -> X-Pingother
protected headerize ( string $string ) : string
$string string string to convert
return string the result in "header" format

headerizeToPhp() protected method

Convert any string (including php headers with HTTP prefix) to header format like : * X-Pingother -> HTTP_X_PINGOTHER * X PINGOTHER -> HTTP_X_PINGOTHER
protected headerizeToPhp ( string $string ) : string
$string string string to convert
return string the result in "php $_SERVER header" format

overrideDefaultSettings() public method

Override settings for specific action
public overrideDefaultSettings ( Action $action )
$action yii\base\Action the action settings to override

prepareAllowHeaders() protected method

Handle classic CORS request to avoid duplicate code
protected prepareAllowHeaders ( string $type, array $requestHeaders, array &$responseHeaders )
$type string the kind of headers we would handle
$requestHeaders array CORS headers request by client
$responseHeaders array CORS response headers sent to the client

prepareHeaders() public method

For each CORS headers create the specific response
public prepareHeaders ( array $requestHeaders ) : array
$requestHeaders array CORS headers we have detected
return array CORS headers ready to be sent

Property Details

$actions public property

define specific CORS rules for specific actions
public $actions

$cors public property

Basic headers handled for the CORS requests.
public $cors

$request public property

the current request. If not set, the request application component will be used.
public $request

$response public property

the response to be sent. If not set, the response application component will be used.
public $response