Inheritance | yii\filters\Cors » yii\base\ActionFilter » yii\base\Behavior » yii\base\Object |
---|---|
Implements | yii\base\Configurable |
Available since version | 2.0 |
Source Code | https://github.com/yiisoft/yii2/blob/master/framework/filters/Cors.php |
Cors filter implements Cross Origin Resource Sharing.
Make sure to read carefully what CORS does and does not. CORS do not secure your API, but allow the developer to grant access to third party code (ajax calls from external domain).
You may use CORS filter by attaching it as a behavior to a controller or module, like the following,
public function behaviors() { return [ 'corsFilter' => [ 'class' => \yii\filters\Cors::className(), ], ]; }
The CORS filter can be specialized to restrict parameters, like this, MDN CORS Information
public function behaviors() { return [ 'corsFilter' => [ 'class' => \yii\filters\Cors::className(), 'cors' => [ // restrict access to 'Origin' => ['http://www.myserver.com', 'https://www.myserver.com'], 'Access-Control-Request-Method' => ['POST', 'PUT'], // Allow only POST and PUT methods 'Access-Control-Request-Headers' => ['X-Wsse'], // Allow only headers 'X-Wsse' 'Access-Control-Allow-Credentials' => true, // Allow OPTIONS caching 'Access-Control-Max-Age' => 3600, // Allow the X-Pagination-Current-Page header to be exposed to the browser. 'Access-Control-Expose-Headers' => ['X-Pagination-Current-Page'], ], ], ]; }
For more information on how to add the CORS filter to a controller, see the Guide on REST controllers.
Property | Type | Description | Defined By |
---|---|---|---|
$actions | array | Define specific CORS rules for specific actions | yii\filters\Cors |
$cors | array | Basic headers handled for the CORS requests. | yii\filters\Cors |
$except | array | List of action IDs that this filter should not apply to. | yii\base\ActionFilter |
$only | array | List of action IDs that this filter should apply to. | yii\base\ActionFilter |
$owner | yii\base\Component|null | The owner of this behavior | yii\base\Behavior |
$request | yii\web\Request | The current request. | yii\filters\Cors |
$response | yii\web\Response | The response to be sent. | yii\filters\Cors |
Method | Description | Defined By |
---|---|---|
__call() | Calls the named method which is not a class method. | yii\base\Object |
__construct() | Constructor. | yii\base\Object |
__get() | Returns the value of an object property. | yii\base\Object |
__isset() | Checks if a property is set, i.e. defined and not null. | yii\base\Object |
__set() | Sets value of an object property. | yii\base\Object |
__unset() | Sets an object property to null. | yii\base\Object |
addCorsHeaders() | Adds the CORS headers to the response | yii\filters\Cors |
afterAction() | This method is invoked right after an action is executed. | yii\base\ActionFilter |
afterFilter() | yii\base\ActionFilter | |
attach() | Attaches the behavior object to the component. | yii\base\Behavior |
beforeAction() | This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action. | yii\filters\Cors |
beforeFilter() | yii\base\ActionFilter | |
canGetProperty() | Returns a value indicating whether a property can be read. | yii\base\Object |
canSetProperty() | Returns a value indicating whether a property can be set. | yii\base\Object |
className() | Returns the fully qualified name of this class. | yii\base\Object |
detach() | Detaches the behavior object from the component. | yii\base\Behavior |
events() | Declares event handlers for the $owner's events. | yii\base\Behavior |
extractHeaders() | Extract CORS headers from the request | yii\filters\Cors |
hasMethod() | Returns a value indicating whether a method is defined. | yii\base\Object |
hasProperty() | Returns a value indicating whether a property is defined. | yii\base\Object |
init() | Initializes the object. | yii\base\Object |
overrideDefaultSettings() | Override settings for specific action | yii\filters\Cors |
prepareHeaders() | For each CORS headers create the specific response | yii\filters\Cors |
Method | Description | Defined By |
---|---|---|
getActionId() | Returns an action ID by converting yii\base\Action::$uniqueId into an ID relative to the module | yii\base\ActionFilter |
headerize() | Convert any string (including php headers with HTTP prefix) to header format like : X-PINGOTHER -> X-Pingother X_PINGOTHER -> X-Pingother | yii\filters\Cors |
headerizeToPhp() | Convert any string (including php headers with HTTP prefix) to header format like : X-Pingother -> HTTP_X_PINGOTHER X PINGOTHER -> HTTP_X_PINGOTHER | yii\filters\Cors |
isActive() | Returns a value indicating whether the filter is active for the given action. | yii\base\ActionFilter |
prepareAllowHeaders() | Handle classic CORS request to avoid duplicate code | yii\filters\Cors |
Define specific CORS rules for specific actions
public array $actions = []
Basic headers handled for the CORS requests.
public array $cors = ['Origin' => ['*'], 'Access-Control-Request-Method' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'], 'Access-Control-Request-Headers' => ['*'], 'Access-Control-Allow-Credentials' => null, 'Access-Control-Max-Age' => 86400, 'Access-Control-Expose-Headers' => []]
The current request. If not set, the request
application component will be used.
public yii\web\Request $request = null
The response to be sent. If not set, the response
application component will be used.
public yii\web\Response $response = null
Adds the CORS headers to the response
public void addCorsHeaders ( $response, $headers ) | ||
---|---|---|
$response | yii\web\Response | |
$headers | array |
CORS headers which have been computed |
This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action.
public boolean beforeAction ( $action ) | ||
---|---|---|
$action | yii\base\Action |
The action to be executed. |
return | boolean |
Whether the action should continue to be executed. |
Extract CORS headers from the request
public array extractHeaders ( ) | ||
---|---|---|
return | array |
CORS headers to handle |
Convert any string (including php headers with HTTP prefix) to header format like : X-PINGOTHER -> X-Pingother X_PINGOTHER -> X-Pingother
protected string headerize ( $string ) | ||
---|---|---|
$string | string |
String to convert |
return | string |
The result in "header" format |
Convert any string (including php headers with HTTP prefix) to header format like : X-Pingother -> HTTP_X_PINGOTHER X PINGOTHER -> HTTP_X_PINGOTHER
protected string headerizeToPhp ( $string ) | ||
---|---|---|
$string | string |
String to convert |
return | string |
The result in "php $_SERVER header" format |
Override settings for specific action
public void overrideDefaultSettings ( $action ) | ||
---|---|---|
$action | yii\base\Action |
The action settings to override |
Handle classic CORS request to avoid duplicate code
protected void prepareAllowHeaders ( $type, $requestHeaders, &$responseHeaders ) | ||
---|---|---|
$type | string |
The kind of headers we would handle |
$requestHeaders | array |
CORS headers request by client |
$responseHeaders | array |
CORS response headers sent to the client |
For each CORS headers create the specific response
public array prepareHeaders ( $requestHeaders ) | ||
---|---|---|
$requestHeaders | array |
CORS headers we have detected |
return | array |
CORS headers ready to be sent |
© 2008–2017 by Yii Software LLC
Licensed under the three clause BSD license.
http://www.yiiframework.com/doc-2.0/yii-filters-cors.html