Class yii\filters\Cors

Inheritanceyii\filters\Cors » yii\base\ActionFilter » yii\base\Behavior » yii\base\BaseObject
Implementsyii\base\Configurable
Available since version2.0
Source Code https://github.com/yiisoft/yii2/blob/master/framework/filters/Cors.php

Cors filter implements Cross Origin Resource Sharing.

Make sure to read carefully what CORS does and does not. CORS do not secure your API, but allow the developer to grant access to third party code (ajax calls from external domain).

You may use CORS filter by attaching it as a behavior to a controller or module, like the following,

public function behaviors()
{
    return [
        'corsFilter' => [
            'class' => \yii\filters\Cors::class,
        ],
    ];
}

The CORS filter can be specialized to restrict parameters, like this, MDN CORS Information

public function behaviors()
{
    return [
        'corsFilter' => [
            'class' => \yii\filters\Cors::class,
            'cors' => [
                // restrict access to
                'Origin' => ['http://www.myserver.com', 'https://www.myserver.com'],
                // Allow only POST and PUT methods
                'Access-Control-Request-Method' => ['POST', 'PUT'],
                // Allow only headers 'X-Wsse'
                'Access-Control-Request-Headers' => ['X-Wsse'],
                // Allow credentials (cookies, authorization headers, etc.) to be exposed to the browser
                'Access-Control-Allow-Credentials' => true,
                // Allow OPTIONS caching
                'Access-Control-Max-Age' => 3600,
                // Allow the X-Pagination-Current-Page header to be exposed to the browser.
                'Access-Control-Expose-Headers' => ['X-Pagination-Current-Page'],
            ],

        ],
    ];
}

For more information on how to add the CORS filter to a controller, see the Guide on REST controllers.

Public Properties

Hide inherited properties

Property Type Description Defined By
$actions array Define specific CORS rules for specific actions yii\filters\Cors
$cors array Basic headers handled for the CORS requests. yii\filters\Cors
$except array List of action IDs that this filter should not apply to. yii\base\ActionFilter
$only array List of action IDs that this filter should apply to. yii\base\ActionFilter
$owner yii\base\Component|null The owner of this behavior yii\base\Behavior
$request yii\web\Request|null The current request. yii\filters\Cors
$response yii\web\Response|null The response to be sent. yii\filters\Cors

Public Methods

Hide inherited methods

Method Description Defined By
__call() Calls the named method which is not a class method. yii\base\BaseObject
__construct() Constructor. yii\base\BaseObject
__get() Returns the value of an object property. yii\base\BaseObject
__isset() Checks if a property is set, i.e. defined and not null. yii\base\BaseObject
__set() Sets value of an object property. yii\base\BaseObject
__unset() Sets an object property to null. yii\base\BaseObject
addCorsHeaders() Adds the CORS headers to the response. yii\filters\Cors
afterAction() This method is invoked right after an action is executed. yii\base\ActionFilter
afterFilter() yii\base\ActionFilter
attach() Attaches the behavior object to the component. yii\base\ActionFilter
beforeAction() This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action. yii\filters\Cors
beforeFilter() yii\base\ActionFilter
canGetProperty() Returns a value indicating whether a property can be read. yii\base\BaseObject
canSetProperty() Returns a value indicating whether a property can be set. yii\base\BaseObject
className() Returns the fully qualified name of this class. yii\base\BaseObject
detach() Detaches the behavior object from the component. yii\base\ActionFilter
events() Declares event handlers for the $owner's events. yii\base\Behavior
extractHeaders() Extract CORS headers from the request. yii\filters\Cors
hasMethod() Returns a value indicating whether a method is defined. yii\base\BaseObject
hasProperty() Returns a value indicating whether a property is defined. yii\base\BaseObject
init() Initializes the object. yii\base\BaseObject
overrideDefaultSettings() Override settings for specific action. yii\filters\Cors
prepareHeaders() For each CORS headers create the specific response. yii\filters\Cors

Protected Methods

Hide inherited methods

Method Description Defined By
getActionId() Returns an action ID by converting yii\base\Action::$uniqueId into an ID relative to the module. yii\base\ActionFilter
headerize() Convert any string (including php headers with HTTP prefix) to header format. yii\filters\Cors
headerizeToPhp() Convert any string (including php headers with HTTP prefix) to header format. yii\filters\Cors
isActive() Returns a value indicating whether the filter is active for the given action. yii\base\ActionFilter
prepareAllowHeaders() Handle classic CORS request to avoid duplicate code. yii\filters\Cors

Property Details

Hide inherited properties

$actions public property

Define specific CORS rules for specific actions

public array $actions = []
$cors public property

Basic headers handled for the CORS requests.

public array $cors = [
    
'Origin' => [
        
'*',
    ],
    
'Access-Control-Request-Method' => [
        
'GET',
        
'POST',
        
'PUT',
        
'PATCH',
        
'DELETE',
        
'HEAD',
        
'OPTIONS',
    ],
    
'Access-Control-Request-Headers' => [
        
'*',
    ],
    
'Access-Control-Allow-Credentials' => null,
    
'Access-Control-Max-Age' => 86400,
    
'Access-Control-Expose-Headers' => [],
]
$request public property

The current request. If not set, the request application component will be used.

$response public property

The response to be sent. If not set, the response application component will be used.

Method Details

Hide inherited methods

__call() public method

Defined in: yii\base\BaseObject::__call()

Calls the named method which is not a class method.

Do not call this method directly as it is a PHP magic method that will be implicitly called when an unknown method is being invoked.

public mixed __call ( $name, $params )
$name string

The method name

$params array

Method parameters

return mixed

The method return value

throws yii\base\UnknownMethodException

when calling unknown method

                public function __call($name, $params)
{
    throw new UnknownMethodException('Calling unknown method: ' . get_class($this) . "::$name()");
}

            
__construct() public method

Defined in: yii\base\BaseObject::__construct()

Constructor.

The default implementation does two things:

  • Initializes the object with the given configuration $config.
  • Call init().

If this method is overridden in a child class, it is recommended that

  • the last parameter of the constructor is a configuration array, like $config here.
  • call the parent implementation at the end of the constructor.
public void __construct ( $config = [] )
$config array

Name-value pairs that will be used to initialize the object properties

                public function __construct($config = [])
{
    if (!empty($config)) {
        Yii::configure($this, $config);
    }
    $this->init();
}

            
__get() public method

Defined in: yii\base\BaseObject::__get()

Returns the value of an object property.

Do not call this method directly as it is a PHP magic method that will be implicitly called when executing $value = $object->property;.

See also __set().

public mixed __get ( $name )
$name string

The property name

return mixed

The property value

throws yii\base\UnknownPropertyException

if the property is not defined

throws yii\base\InvalidCallException

if the property is write-only

                public function __get($name)
{
    $getter = 'get' . $name;
    if (method_exists($this, $getter)) {
        return $this->$getter();
    } elseif (method_exists($this, 'set' . $name)) {
        throw new InvalidCallException('Getting write-only property: ' . get_class($this) . '::' . $name);
    }
    throw new UnknownPropertyException('Getting unknown property: ' . get_class($this) . '::' . $name);
}

            
__isset() public method

Defined in: yii\base\BaseObject::__isset()

Checks if a property is set, i.e. defined and not null.

Do not call this method directly as it is a PHP magic method that will be implicitly called when executing isset($object->property).

Note that if the property is not defined, false will be returned.

See also https://www.php.net/manual/en/function.isset.php.

public boolean __isset ( $name )
$name string

The property name or the event name

return boolean

Whether the named property is set (not null).

                public function __isset($name)
{
    $getter = 'get' . $name;
    if (method_exists($this, $getter)) {
        return $this->$getter() !== null;
    }
    return false;
}

            
__set() public method

Defined in: yii\base\BaseObject::__set()

Sets value of an object property.

Do not call this method directly as it is a PHP magic method that will be implicitly called when executing $object->property = $value;.

See also __get().

public void __set ( $name, $value )
$name string

The property name or the event name

$value mixed

The property value

throws yii\base\UnknownPropertyException

if the property is not defined

throws yii\base\InvalidCallException

if the property is read-only

                public function __set($name, $value)
{
    $setter = 'set' . $name;
    if (method_exists($this, $setter)) {
        $this->$setter($value);
    } elseif (method_exists($this, 'get' . $name)) {
        throw new InvalidCallException('Setting read-only property: ' . get_class($this) . '::' . $name);
    } else {
        throw new UnknownPropertyException('Setting unknown property: ' . get_class($this) . '::' . $name);
    }
}

            
__unset() public method

Defined in: yii\base\BaseObject::__unset()

Sets an object property to null.

Do not call this method directly as it is a PHP magic method that will be implicitly called when executing unset($object->property).

Note that if the property is not defined, this method will do nothing. If the property is read-only, it will throw an exception.

See also https://www.php.net/manual/en/function.unset.php.

public void __unset ( $name )
$name string

The property name

throws yii\base\InvalidCallException

if the property is read only.

                public function __unset($name)
{
    $setter = 'set' . $name;
    if (method_exists($this, $setter)) {
        $this->$setter(null);
    } elseif (method_exists($this, 'get' . $name)) {
        throw new InvalidCallException('Unsetting read-only property: ' . get_class($this) . '::' . $name);
    }
}

            
addCorsHeaders() public method

Adds the CORS headers to the response.

public void addCorsHeaders ( $response, $headers )
$response yii\web\Response
$headers array

CORS headers which have been computed

                public function addCorsHeaders($response, $headers)
{
    if (empty($headers) === false) {
        $responseHeaders = $response->getHeaders();
        foreach ($headers as $field => $value) {
            $responseHeaders->set($field, $value);
        }
    }
}

            
afterAction() public method

Defined in: yii\base\ActionFilter::afterAction()

This method is invoked right after an action is executed.

You may override this method to do some postprocessing for the action.

public mixed afterAction ( $action, $result )
$action yii\base\Action

The action just executed.

$result mixed

The action execution result

return mixed

The processed action result.

                public function afterAction($action, $result)
{
    return $result;
}

            
afterFilter() public method
public void afterFilter ( $event )
$event yii\base\ActionEvent

                public function afterFilter($event)
{
    $event->result = $this->afterAction($event->action, $event->result);
    $this->owner->off(Controller::EVENT_AFTER_ACTION, [$this, 'afterFilter']);
}

            
attach() public method

Defined in: yii\base\ActionFilter::attach()

Attaches the behavior object to the component.

The default implementation will set the $owner property and attach event handlers as declared in events(). Make sure you call the parent implementation if you override this method.

public void attach ( $owner )
$owner yii\base\Component

The component that this behavior is to be attached to.

                public function attach($owner)
{
    $this->owner = $owner;
    $owner->on(Controller::EVENT_BEFORE_ACTION, [$this, 'beforeFilter']);
}

            
beforeAction() public method

This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action.

public boolean beforeAction ( $action )
$action yii\base\Action

The action to be executed.

return boolean

Whether the action should continue to be executed.

                public function beforeAction($action)
{
    $this->request = $this->request ?: Yii::$app->getRequest();
    $this->response = $this->response ?: Yii::$app->getResponse();
    $this->overrideDefaultSettings($action);
    $requestCorsHeaders = $this->extractHeaders();
    $responseCorsHeaders = $this->prepareHeaders($requestCorsHeaders);
    $this->addCorsHeaders($this->response, $responseCorsHeaders);
    if ($this->request->isOptions && $this->request->headers->has('Access-Control-Request-Method')) {
        // it is CORS preflight request, respond with 200 OK without further processing
        $this->response->setStatusCode(200);
        return false;
    }
    return true;
}

            
beforeFilter() public method
public void beforeFilter ( $event )
$event yii\base\ActionEvent

                public function beforeFilter($event)
{
    if (!$this->isActive($event->action)) {
        return;
    }
    $event->isValid = $this->beforeAction($event->action);
    if ($event->isValid) {
        // call afterFilter only if beforeFilter succeeds
        // beforeFilter and afterFilter should be properly nested
        $this->owner->on(Controller::EVENT_AFTER_ACTION, [$this, 'afterFilter'], null, false);
    } else {
        $event->handled = true;
    }
}

            
canGetProperty() public method

Defined in: yii\base\BaseObject::canGetProperty()

Returns a value indicating whether a property can be read.

A property is readable if:

  • the class has a getter method associated with the specified name (in this case, property name is case-insensitive);
  • the class has a member variable with the specified name (when $checkVars is true);

See also canSetProperty().

public boolean canGetProperty ( $name, $checkVars true )
$name string

The property name

$checkVars boolean

Whether to treat member variables as properties

return boolean

Whether the property can be read

                public function canGetProperty($name, $checkVars = true)
{
    return method_exists($this, 'get' . $name) || $checkVars && property_exists($this, $name);
}

            
canSetProperty() public method

Defined in: yii\base\BaseObject::canSetProperty()

Returns a value indicating whether a property can be set.

A property is writable if:

  • the class has a setter method associated with the specified name (in this case, property name is case-insensitive);
  • the class has a member variable with the specified name (when $checkVars is true);

See also canGetProperty().

public boolean canSetProperty ( $name, $checkVars true )
$name string

The property name

$checkVars boolean

Whether to treat member variables as properties

return boolean

Whether the property can be written

                public function canSetProperty($name, $checkVars = true)
{
    return method_exists($this, 'set' . $name) || $checkVars && property_exists($this, $name);
}

            
className() public static method
Deprecated since 2.0.14. On PHP >=5.5, use ::class instead.

Defined in: yii\base\BaseObject::className()

Returns the fully qualified name of this class.

public static string className ( )
return string

The fully qualified name of this class.

                public static function className()
{
    return get_called_class();
}

            
detach() public method

Defined in: yii\base\ActionFilter::detach()

Detaches the behavior object from the component.

The default implementation will unset the $owner property and detach event handlers declared in events(). Make sure you call the parent implementation if you override this method.

public void detach ( )

                public function detach()
{
    if ($this->owner) {
        $this->owner->off(Controller::EVENT_BEFORE_ACTION, [$this, 'beforeFilter']);
        $this->owner->off(Controller::EVENT_AFTER_ACTION, [$this, 'afterFilter']);
        $this->owner = null;
    }
}

            
events() public method

Defined in: yii\base\Behavior::events()

Declares event handlers for the $owner's events.

Child classes may override this method to declare what PHP callbacks should be attached to the events of the $owner component.

The callbacks will be attached to the $owner's events when the behavior is attached to the owner; and they will be detached from the events when the behavior is detached from the component.

The callbacks can be any of the following:

  • method in this behavior: 'handleClick', equivalent to [$this, 'handleClick']
  • object method: [$object, 'handleClick']
  • static method: ['Page', 'handleClick']
  • anonymous function: function ($event) { ... }

The following is an example:

[
    Model::EVENT_BEFORE_VALIDATE => 'myBeforeValidate',
    Model::EVENT_AFTER_VALIDATE => 'myAfterValidate',
]
public array events ( )
return array

Events (array keys) and the corresponding event handler methods (array values).

                public function events()
{
    return [];
}

            
extractHeaders() public method

Extract CORS headers from the request.

public array extractHeaders ( )
return array

CORS headers to handle

                public function extractHeaders()
{
    $headers = [];
    foreach (array_keys($this->cors) as $headerField) {
        $serverField = $this->headerizeToPhp($headerField);
        $headerData = isset($_SERVER[$serverField]) ? $_SERVER[$serverField] : null;
        if ($headerData !== null) {
            $headers[$headerField] = $headerData;
        }
    }
    return $headers;
}

            
getActionId() protected method (available since version 2.0.7)

Defined in: yii\base\ActionFilter::getActionId()

Returns an action ID by converting yii\base\Action::$uniqueId into an ID relative to the module.

protected string getActionId ( $action )
$action yii\base\Action

                protected function getActionId($action)
{
    if ($this->owner instanceof Module) {
        $mid = $this->owner->getUniqueId();
        $id = $action->getUniqueId();
        if ($mid !== '' && strpos($id, $mid) === 0) {
            $id = substr($id, strlen($mid) + 1);
        }
    } else {
        $id = $action->id;
    }
    return $id;
}

            
hasMethod() public method

Defined in: yii\base\BaseObject::hasMethod()

Returns a value indicating whether a method is defined.

The default implementation is a call to php function method_exists(). You may override this method when you implemented the php magic method __call().

public boolean hasMethod ( $name )
$name string

The method name

return boolean

Whether the method is defined

                public function hasMethod($name)
{
    return method_exists($this, $name);
}

            
hasProperty() public method

Defined in: yii\base\BaseObject::hasProperty()

Returns a value indicating whether a property is defined.

A property is defined if:

  • the class has a getter or setter method associated with the specified name (in this case, property name is case-insensitive);
  • the class has a member variable with the specified name (when $checkVars is true);

See also:

public boolean hasProperty ( $name, $checkVars true )
$name string

The property name

$checkVars boolean

Whether to treat member variables as properties

return boolean

Whether the property is defined

                public function hasProperty($name, $checkVars = true)
{
    return $this->canGetProperty($name, $checkVars) || $this->canSetProperty($name, false);
}

            
headerize() protected method

Convert any string (including php headers with HTTP prefix) to header format.

Example:

  • X-PINGOTHER -> X-Pingother
  • X_PINGOTHER -> X-Pingother
protected string headerize ( $string )
$string string

String to convert

return string

The result in "header" format

                protected function headerize($string)
{
    $headers = preg_split('/[\\s,]+/', $string, -1, PREG_SPLIT_NO_EMPTY);
    $headers = array_map(function ($element) {
        return str_replace(' ', '-', ucwords(strtolower(str_replace(['_', '-'], [' ', ' '], $element))));
    }, $headers);
    return implode(', ', $headers);
}

            
headerizeToPhp() protected method

Convert any string (including php headers with HTTP prefix) to header format.

Example:

  • X-Pingother -> HTTP_X_PINGOTHER
  • X PINGOTHER -> HTTP_X_PINGOTHER
protected string headerizeToPhp ( $string )
$string string

String to convert

return string

The result in "php $_SERVER header" format

                protected function headerizeToPhp($string)
{
    return 'HTTP_' . strtoupper(str_replace([' ', '-'], ['_', '_'], $string));
}

            
init() public method

Defined in: yii\base\BaseObject::init()

Initializes the object.

This method is invoked at the end of the constructor after the object is initialized with the given configuration.

public void init ( )

                public function init()
{
}

            
isActive() protected method

Defined in: yii\base\ActionFilter::isActive()

Returns a value indicating whether the filter is active for the given action.

protected boolean isActive ( $action )
$action yii\base\Action

The action being filtered

return boolean

Whether the filter is active for the given action.

                protected function isActive($action)
{
    $id = $this->getActionId($action);
    if (empty($this->only)) {
        $onlyMatch = true;
    } else {
        $onlyMatch = false;
        foreach ($this->only as $pattern) {
            if (StringHelper::matchWildcard($pattern, $id)) {
                $onlyMatch = true;
                break;
            }
        }
    }
    $exceptMatch = false;
    foreach ($this->except as $pattern) {
        if (StringHelper::matchWildcard($pattern, $id)) {
            $exceptMatch = true;
            break;
        }
    }
    return !$exceptMatch && $onlyMatch;
}

            
overrideDefaultSettings() public method

Override settings for specific action.

public void overrideDefaultSettings ( $action )
$action yii\base\Action

The action settings to override

                public function overrideDefaultSettings($action)
{
    if (isset($this->actions[$action->id])) {
        $actionParams = $this->actions[$action->id];
        $actionParamsKeys = array_keys($actionParams);
        foreach ($this->cors as $headerField => $headerValue) {
            if (in_array($headerField, $actionParamsKeys)) {
                $this->cors[$headerField] = $actionParams[$headerField];
            }
        }
    }
}

            
prepareAllowHeaders() protected method

Handle classic CORS request to avoid duplicate code.

protected void prepareAllowHeaders ( $type, $requestHeaders, &$responseHeaders )
$type string

The kind of headers we would handle

$requestHeaders array

CORS headers request by client

$responseHeaders array

CORS response headers sent to the client

                protected function prepareAllowHeaders($type, $requestHeaders, &$responseHeaders)
{
    $requestHeaderField = 'Access-Control-Request-' . $type;
    $responseHeaderField = 'Access-Control-Allow-' . $type;
    if (!isset($requestHeaders[$requestHeaderField], $this->cors[$requestHeaderField])) {
        return;
    }
    if (in_array('*', $this->cors[$requestHeaderField])) {
        $responseHeaders[$responseHeaderField] = $this->headerize($requestHeaders[$requestHeaderField]);
    } else {
        $requestedData = preg_split('/[\\s,]+/', $requestHeaders[$requestHeaderField], -1, PREG_SPLIT_NO_EMPTY);
        $acceptedData = array_uintersect($requestedData, $this->cors[$requestHeaderField], 'strcasecmp');
        if (!empty($acceptedData)) {
            $responseHeaders[$responseHeaderField] = implode(', ', $acceptedData);
        }
    }
}

            
prepareHeaders() public method

For each CORS headers create the specific response.

public array prepareHeaders ( $requestHeaders )
$requestHeaders array

CORS headers we have detected

return array

CORS headers ready to be sent

                public function prepareHeaders($requestHeaders)
{
    $responseHeaders = [];
    // handle Origin
    if (isset($requestHeaders['Origin'], $this->cors['Origin'])) {
        if (in_array($requestHeaders['Origin'], $this->cors['Origin'], true)) {
            $responseHeaders['Access-Control-Allow-Origin'] = $requestHeaders['Origin'];
        }
        if (in_array('*', $this->cors['Origin'], true)) {
            // Per CORS standard (https://fetch.spec.whatwg.org), wildcard origins shouldn't be used together with credentials
            if (isset($this->cors['Access-Control-Allow-Credentials']) && $this->cors['Access-Control-Allow-Credentials']) {
                if (YII_DEBUG) {
                    throw new InvalidConfigException("Allowing credentials for wildcard origins is insecure. Please specify more restrictive origins or set 'credentials' to false in your CORS configuration.");
                } else {
                    Yii::error("Allowing credentials for wildcard origins is insecure. Please specify more restrictive origins or set 'credentials' to false in your CORS configuration.", __METHOD__);
                }
            } else {
                $responseHeaders['Access-Control-Allow-Origin'] = '*';
            }
        }
    }
    $this->prepareAllowHeaders('Headers', $requestHeaders, $responseHeaders);
    if (isset($requestHeaders['Access-Control-Request-Method'])) {
        $responseHeaders['Access-Control-Allow-Methods'] = implode(', ', $this->cors['Access-Control-Request-Method']);
    }
    if (isset($this->cors['Access-Control-Allow-Credentials'])) {
        $responseHeaders['Access-Control-Allow-Credentials'] = $this->cors['Access-Control-Allow-Credentials'] ? 'true' : 'false';
    }
    if (isset($this->cors['Access-Control-Max-Age']) && $this->request->getIsOptions()) {
        $responseHeaders['Access-Control-Max-Age'] = $this->cors['Access-Control-Max-Age'];
    }
    if (isset($this->cors['Access-Control-Expose-Headers'])) {
        $responseHeaders['Access-Control-Expose-Headers'] = implode(', ', $this->cors['Access-Control-Expose-Headers']);
    }
    if (isset($this->cors['Access-Control-Allow-Headers'])) {
        $responseHeaders['Access-Control-Allow-Headers'] = implode(', ', $this->cors['Access-Control-Allow-Headers']);
    }
    return $responseHeaders;
}