Class yii\filters\Cors
| Inheritance | yii\filters\Cors » yii\base\ActionFilter » yii\base\Behavior » yii\base\BaseObject |
|---|---|
| Implements | yii\base\Configurable |
| Available since version | 2.0 |
| Source Code | https://github.com/yiisoft/yii2/blob/master/framework/filters/Cors.php |
Cors filter implements Cross Origin Resource Sharing.
Make sure to read carefully what CORS does and does not. CORS do not secure your API, but allow the developer to grant access to third party code (ajax calls from external domain).
You may use CORS filter by attaching it as a behavior to a controller or module, like the following,
public function behaviors()
{
return [
'corsFilter' => [
'class' => \yii\filters\Cors::class,
],
];
}
The CORS filter can be specialized to restrict parameters, like this, MDN CORS Information
public function behaviors()
{
return [
'corsFilter' => [
'class' => \yii\filters\Cors::class,
'cors' => [
// restrict access to
'Origin' => ['http://www.myserver.com', 'https://www.myserver.com'],
// Allow only POST and PUT methods
'Access-Control-Request-Method' => ['POST', 'PUT'],
// Allow only headers 'X-Wsse'
'Access-Control-Request-Headers' => ['X-Wsse'],
// Allow credentials (cookies, authorization headers, etc.) to be exposed to the browser
'Access-Control-Allow-Credentials' => true,
// Allow OPTIONS caching
'Access-Control-Max-Age' => 3600,
// Allow the X-Pagination-Current-Page header to be exposed to the browser.
'Access-Control-Expose-Headers' => ['X-Pagination-Current-Page'],
],
],
];
}
For more information on how to add the CORS filter to a controller, see the Guide on REST controllers.
Public Properties
| Property | Type | Description | Defined By |
|---|---|---|---|
| $actions | array | Define specific CORS rules for specific actions | yii\filters\Cors |
| $cors | array | Basic headers handled for the CORS requests. | yii\filters\Cors |
| $except | array | List of action IDs that this filter should not apply to. | yii\base\ActionFilter |
| $only | array | List of action IDs that this filter should apply to. | yii\base\ActionFilter |
| $owner | yii\base\Component|null | The owner of this behavior | yii\base\Behavior |
| $request | yii\web\Request|null | The current request. | yii\filters\Cors |
| $response | yii\web\Response|null | The response to be sent. | yii\filters\Cors |
Public Methods
| Method | Description | Defined By |
|---|---|---|
| __call() | Calls the named method which is not a class method. | yii\base\BaseObject |
| __construct() | Constructor. | yii\base\BaseObject |
| __get() | Returns the value of an object property. | yii\base\BaseObject |
| __isset() | Checks if a property is set, i.e. defined and not null. | yii\base\BaseObject |
| __set() | Sets value of an object property. | yii\base\BaseObject |
| __unset() | Sets an object property to null. | yii\base\BaseObject |
| addCorsHeaders() | Adds the CORS headers to the response. | yii\filters\Cors |
| afterAction() | This method is invoked right after an action is executed. | yii\base\ActionFilter |
| afterFilter() | yii\base\ActionFilter | |
| attach() | Attaches the behavior object to the component. | yii\base\ActionFilter |
| beforeAction() | This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action. | yii\filters\Cors |
| beforeFilter() | yii\base\ActionFilter | |
| canGetProperty() | Returns a value indicating whether a property can be read. | yii\base\BaseObject |
| canSetProperty() | Returns a value indicating whether a property can be set. | yii\base\BaseObject |
| className() | Returns the fully qualified name of this class. | yii\base\BaseObject |
| detach() | Detaches the behavior object from the component. | yii\base\ActionFilter |
| events() | Declares event handlers for the $owner's events. | yii\base\Behavior |
| extractHeaders() | Extract CORS headers from the request. | yii\filters\Cors |
| hasMethod() | Returns a value indicating whether a method is defined. | yii\base\BaseObject |
| hasProperty() | Returns a value indicating whether a property is defined. | yii\base\BaseObject |
| init() | Initializes the object. | yii\base\BaseObject |
| overrideDefaultSettings() | Override settings for specific action. | yii\filters\Cors |
| prepareHeaders() | For each CORS headers create the specific response. | yii\filters\Cors |
Protected Methods
| Method | Description | Defined By |
|---|---|---|
| getActionId() | Returns an action ID by converting yii\base\Action::$uniqueId into an ID relative to the module. | yii\base\ActionFilter |
| headerize() | Convert any string (including php headers with HTTP prefix) to header format. | yii\filters\Cors |
| headerizeToPhp() | Convert any string (including php headers with HTTP prefix) to header format. | yii\filters\Cors |
| isActive() | Returns a value indicating whether the filter is active for the given action. | yii\base\ActionFilter |
| prepareAllowHeaders() | Handle classic CORS request to avoid duplicate code. | yii\filters\Cors |
Property Details
Basic headers handled for the CORS requests.
'Origin' => [
'*',
],
'Access-Control-Request-Method' => [
'GET',
'POST',
'PUT',
'PATCH',
'DELETE',
'HEAD',
'OPTIONS',
],
'Access-Control-Request-Headers' => [
'*',
],
'Access-Control-Allow-Credentials' => null,
'Access-Control-Max-Age' => 86400,
'Access-Control-Expose-Headers' => [],
]
The current request. If not set, the request application component will be used.
The response to be sent. If not set, the response application component will be used.
Method Details
Defined in: yii\base\BaseObject::__call()
Calls the named method which is not a class method.
Do not call this method directly as it is a PHP magic method that will be implicitly called when an unknown method is being invoked.
| public mixed __call ( $name, $params ) | ||
| $name | string |
The method name |
| $params | array |
Method parameters |
| return | mixed |
The method return value |
|---|---|---|
| throws | yii\base\UnknownMethodException |
when calling unknown method |
public function __call($name, $params)
{
throw new UnknownMethodException('Calling unknown method: ' . get_class($this) . "::$name()");
}
Defined in: yii\base\BaseObject::__construct()
Constructor.
The default implementation does two things:
- Initializes the object with the given configuration
$config. - Call init().
If this method is overridden in a child class, it is recommended that
- the last parameter of the constructor is a configuration array, like
$confighere. - call the parent implementation at the end of the constructor.
| public void __construct ( $config = [] ) | ||
| $config | array |
Name-value pairs that will be used to initialize the object properties |
public function __construct($config = [])
{
if (!empty($config)) {
Yii::configure($this, $config);
}
$this->init();
}
Defined in: yii\base\BaseObject::__get()
Returns the value of an object property.
Do not call this method directly as it is a PHP magic method that
will be implicitly called when executing $value = $object->property;.
See also __set().
| public mixed __get ( $name ) | ||
| $name | string |
The property name |
| return | mixed |
The property value |
|---|---|---|
| throws | yii\base\UnknownPropertyException |
if the property is not defined |
| throws | yii\base\InvalidCallException |
if the property is write-only |
public function __get($name)
{
$getter = 'get' . $name;
if (method_exists($this, $getter)) {
return $this->$getter();
} elseif (method_exists($this, 'set' . $name)) {
throw new InvalidCallException('Getting write-only property: ' . get_class($this) . '::' . $name);
}
throw new UnknownPropertyException('Getting unknown property: ' . get_class($this) . '::' . $name);
}
Defined in: yii\base\BaseObject::__isset()
Checks if a property is set, i.e. defined and not null.
Do not call this method directly as it is a PHP magic method that
will be implicitly called when executing isset($object->property).
Note that if the property is not defined, false will be returned.
| public boolean __isset ( $name ) | ||
| $name | string |
The property name or the event name |
| return | boolean |
Whether the named property is set (not null). |
|---|---|---|
public function __isset($name)
{
$getter = 'get' . $name;
if (method_exists($this, $getter)) {
return $this->$getter() !== null;
}
return false;
}
Defined in: yii\base\BaseObject::__set()
Sets value of an object property.
Do not call this method directly as it is a PHP magic method that
will be implicitly called when executing $object->property = $value;.
See also __get().
| public void __set ( $name, $value ) | ||
| $name | string |
The property name or the event name |
| $value | mixed |
The property value |
| throws | yii\base\UnknownPropertyException |
if the property is not defined |
|---|---|---|
| throws | yii\base\InvalidCallException |
if the property is read-only |
public function __set($name, $value)
{
$setter = 'set' . $name;
if (method_exists($this, $setter)) {
$this->$setter($value);
} elseif (method_exists($this, 'get' . $name)) {
throw new InvalidCallException('Setting read-only property: ' . get_class($this) . '::' . $name);
} else {
throw new UnknownPropertyException('Setting unknown property: ' . get_class($this) . '::' . $name);
}
}
Defined in: yii\base\BaseObject::__unset()
Sets an object property to null.
Do not call this method directly as it is a PHP magic method that
will be implicitly called when executing unset($object->property).
Note that if the property is not defined, this method will do nothing. If the property is read-only, it will throw an exception.
| public void __unset ( $name ) | ||
| $name | string |
The property name |
| throws | yii\base\InvalidCallException |
if the property is read only. |
|---|---|---|
public function __unset($name)
{
$setter = 'set' . $name;
if (method_exists($this, $setter)) {
$this->$setter(null);
} elseif (method_exists($this, 'get' . $name)) {
throw new InvalidCallException('Unsetting read-only property: ' . get_class($this) . '::' . $name);
}
}
Adds the CORS headers to the response.
| public void addCorsHeaders ( $response, $headers ) | ||
| $response | yii\web\Response | |
| $headers | array |
CORS headers which have been computed |
public function addCorsHeaders($response, $headers)
{
if (empty($headers) === false) {
$responseHeaders = $response->getHeaders();
foreach ($headers as $field => $value) {
$responseHeaders->set($field, $value);
}
}
}
Defined in: yii\base\ActionFilter::afterAction()
This method is invoked right after an action is executed.
You may override this method to do some postprocessing for the action.
| public mixed afterAction ( $action, $result ) | ||
| $action | yii\base\Action |
The action just executed. |
| $result | mixed |
The action execution result |
| return | mixed |
The processed action result. |
|---|---|---|
public function afterAction($action, $result)
{
return $result;
}
Defined in: yii\base\ActionFilter::afterFilter()
| public void afterFilter ( $event ) | ||
| $event | yii\base\ActionEvent | |
public function afterFilter($event)
{
$event->result = $this->afterAction($event->action, $event->result);
$this->owner->off(Controller::EVENT_AFTER_ACTION, [$this, 'afterFilter']);
}
Defined in: yii\base\ActionFilter::attach()
Attaches the behavior object to the component.
The default implementation will set the $owner property and attach event handlers as declared in events(). Make sure you call the parent implementation if you override this method.
| public void attach ( $owner ) | ||
| $owner | yii\base\Component |
The component that this behavior is to be attached to. |
public function attach($owner)
{
$this->owner = $owner;
$owner->on(Controller::EVENT_BEFORE_ACTION, [$this, 'beforeFilter']);
}
This method is invoked right before an action is to be executed (after all possible filters.) You may override this method to do last-minute preparation for the action.
| public boolean beforeAction ( $action ) | ||
| $action | yii\base\Action |
The action to be executed. |
| return | boolean |
Whether the action should continue to be executed. |
|---|---|---|
public function beforeAction($action)
{
$this->request = $this->request ?: Yii::$app->getRequest();
$this->response = $this->response ?: Yii::$app->getResponse();
$this->overrideDefaultSettings($action);
$requestCorsHeaders = $this->extractHeaders();
$responseCorsHeaders = $this->prepareHeaders($requestCorsHeaders);
$this->addCorsHeaders($this->response, $responseCorsHeaders);
if ($this->request->isOptions && $this->request->headers->has('Access-Control-Request-Method')) {
// it is CORS preflight request, respond with 200 OK without further processing
$this->response->setStatusCode(200);
return false;
}
return true;
}
Defined in: yii\base\ActionFilter::beforeFilter()
| public void beforeFilter ( $event ) | ||
| $event | yii\base\ActionEvent | |
public function beforeFilter($event)
{
if (!$this->isActive($event->action)) {
return;
}
$event->isValid = $this->beforeAction($event->action);
if ($event->isValid) {
// call afterFilter only if beforeFilter succeeds
// beforeFilter and afterFilter should be properly nested
$this->owner->on(Controller::EVENT_AFTER_ACTION, [$this, 'afterFilter'], null, false);
} else {
$event->handled = true;
}
}
Defined in: yii\base\BaseObject::canGetProperty()
Returns a value indicating whether a property can be read.
A property is readable if:
- the class has a getter method associated with the specified name (in this case, property name is case-insensitive);
- the class has a member variable with the specified name (when
$checkVarsis true);
See also canSetProperty().
| public boolean canGetProperty ( $name, $checkVars = true ) | ||
| $name | string |
The property name |
| $checkVars | boolean |
Whether to treat member variables as properties |
| return | boolean |
Whether the property can be read |
|---|---|---|
public function canGetProperty($name, $checkVars = true)
{
return method_exists($this, 'get' . $name) || $checkVars && property_exists($this, $name);
}
Defined in: yii\base\BaseObject::canSetProperty()
Returns a value indicating whether a property can be set.
A property is writable if:
- the class has a setter method associated with the specified name (in this case, property name is case-insensitive);
- the class has a member variable with the specified name (when
$checkVarsis true);
See also canGetProperty().
| public boolean canSetProperty ( $name, $checkVars = true ) | ||
| $name | string |
The property name |
| $checkVars | boolean |
Whether to treat member variables as properties |
| return | boolean |
Whether the property can be written |
|---|---|---|
public function canSetProperty($name, $checkVars = true)
{
return method_exists($this, 'set' . $name) || $checkVars && property_exists($this, $name);
}
::class instead.
Defined in: yii\base\BaseObject::className()
Returns the fully qualified name of this class.
| public static string className ( ) | ||
| return | string |
The fully qualified name of this class. |
|---|---|---|
public static function className()
{
return get_called_class();
}
Defined in: yii\base\ActionFilter::detach()
Detaches the behavior object from the component.
The default implementation will unset the $owner property and detach event handlers declared in events(). Make sure you call the parent implementation if you override this method.
| public void detach ( ) |
public function detach()
{
if ($this->owner) {
$this->owner->off(Controller::EVENT_BEFORE_ACTION, [$this, 'beforeFilter']);
$this->owner->off(Controller::EVENT_AFTER_ACTION, [$this, 'afterFilter']);
$this->owner = null;
}
}
Defined in: yii\base\Behavior::events()
Declares event handlers for the $owner's events.
Child classes may override this method to declare what PHP callbacks should be attached to the events of the $owner component.
The callbacks will be attached to the $owner's events when the behavior is attached to the owner; and they will be detached from the events when the behavior is detached from the component.
The callbacks can be any of the following:
- method in this behavior:
'handleClick', equivalent to[$this, 'handleClick'] - object method:
[$object, 'handleClick'] - static method:
['Page', 'handleClick'] - anonymous function:
function ($event) { ... }
The following is an example:
[
Model::EVENT_BEFORE_VALIDATE => 'myBeforeValidate',
Model::EVENT_AFTER_VALIDATE => 'myAfterValidate',
]
| public array events ( ) | ||
| return | array |
Events (array keys) and the corresponding event handler methods (array values). |
|---|---|---|
public function events()
{
return [];
}
Extract CORS headers from the request.
| public array extractHeaders ( ) | ||
| return | array |
CORS headers to handle |
|---|---|---|
public function extractHeaders()
{
$headers = [];
foreach (array_keys($this->cors) as $headerField) {
$serverField = $this->headerizeToPhp($headerField);
$headerData = isset($_SERVER[$serverField]) ? $_SERVER[$serverField] : null;
if ($headerData !== null) {
$headers[$headerField] = $headerData;
}
}
return $headers;
}
Defined in: yii\base\ActionFilter::getActionId()
Returns an action ID by converting yii\base\Action::$uniqueId into an ID relative to the module.
| protected string getActionId ( $action ) | ||
| $action | yii\base\Action | |
protected function getActionId($action)
{
if ($this->owner instanceof Module) {
$mid = $this->owner->getUniqueId();
$id = $action->getUniqueId();
if ($mid !== '' && strpos($id, $mid) === 0) {
$id = substr($id, strlen($mid) + 1);
}
} else {
$id = $action->id;
}
return $id;
}
Defined in: yii\base\BaseObject::hasMethod()
Returns a value indicating whether a method is defined.
The default implementation is a call to php function method_exists().
You may override this method when you implemented the php magic method __call().
| public boolean hasMethod ( $name ) | ||
| $name | string |
The method name |
| return | boolean |
Whether the method is defined |
|---|---|---|
public function hasMethod($name)
{
return method_exists($this, $name);
}
Defined in: yii\base\BaseObject::hasProperty()
Returns a value indicating whether a property is defined.
A property is defined if:
- the class has a getter or setter method associated with the specified name (in this case, property name is case-insensitive);
- the class has a member variable with the specified name (when
$checkVarsis true);
See also:
| public boolean hasProperty ( $name, $checkVars = true ) | ||
| $name | string |
The property name |
| $checkVars | boolean |
Whether to treat member variables as properties |
| return | boolean |
Whether the property is defined |
|---|---|---|
public function hasProperty($name, $checkVars = true)
{
return $this->canGetProperty($name, $checkVars) || $this->canSetProperty($name, false);
}
Convert any string (including php headers with HTTP prefix) to header format.
Example:
- X-PINGOTHER -> X-Pingother
- X_PINGOTHER -> X-Pingother
| protected string headerize ( $string ) | ||
| $string | string |
String to convert |
| return | string |
The result in "header" format |
|---|---|---|
protected function headerize($string)
{
$headers = preg_split('/[\\s,]+/', $string, -1, PREG_SPLIT_NO_EMPTY);
$headers = array_map(function ($element) {
return str_replace(' ', '-', ucwords(strtolower(str_replace(['_', '-'], [' ', ' '], $element))));
}, $headers);
return implode(', ', $headers);
}
Convert any string (including php headers with HTTP prefix) to header format.
Example:
- X-Pingother -> HTTP_X_PINGOTHER
- X PINGOTHER -> HTTP_X_PINGOTHER
| protected string headerizeToPhp ( $string ) | ||
| $string | string |
String to convert |
| return | string |
The result in "php $_SERVER header" format |
|---|---|---|
protected function headerizeToPhp($string)
{
return 'HTTP_' . strtoupper(str_replace([' ', '-'], ['_', '_'], $string));
}
Defined in: yii\base\BaseObject::init()
Initializes the object.
This method is invoked at the end of the constructor after the object is initialized with the given configuration.
| public void init ( ) |
public function init()
{
}
Defined in: yii\base\ActionFilter::isActive()
Returns a value indicating whether the filter is active for the given action.
| protected boolean isActive ( $action ) | ||
| $action | yii\base\Action |
The action being filtered |
| return | boolean |
Whether the filter is active for the given action. |
|---|---|---|
protected function isActive($action)
{
$id = $this->getActionId($action);
if (empty($this->only)) {
$onlyMatch = true;
} else {
$onlyMatch = false;
foreach ($this->only as $pattern) {
if (StringHelper::matchWildcard($pattern, $id)) {
$onlyMatch = true;
break;
}
}
}
$exceptMatch = false;
foreach ($this->except as $pattern) {
if (StringHelper::matchWildcard($pattern, $id)) {
$exceptMatch = true;
break;
}
}
return !$exceptMatch && $onlyMatch;
}
Override settings for specific action.
| public void overrideDefaultSettings ( $action ) | ||
| $action | yii\base\Action |
The action settings to override |
public function overrideDefaultSettings($action)
{
if (isset($this->actions[$action->id])) {
$actionParams = $this->actions[$action->id];
$actionParamsKeys = array_keys($actionParams);
foreach ($this->cors as $headerField => $headerValue) {
if (in_array($headerField, $actionParamsKeys)) {
$this->cors[$headerField] = $actionParams[$headerField];
}
}
}
}
Handle classic CORS request to avoid duplicate code.
| protected void prepareAllowHeaders ( $type, $requestHeaders, &$responseHeaders ) | ||
| $type | string |
The kind of headers we would handle |
| $requestHeaders | array |
CORS headers request by client |
| $responseHeaders | array |
CORS response headers sent to the client |
protected function prepareAllowHeaders($type, $requestHeaders, &$responseHeaders)
{
$requestHeaderField = 'Access-Control-Request-' . $type;
$responseHeaderField = 'Access-Control-Allow-' . $type;
if (!isset($requestHeaders[$requestHeaderField], $this->cors[$requestHeaderField])) {
return;
}
if (in_array('*', $this->cors[$requestHeaderField])) {
$responseHeaders[$responseHeaderField] = $this->headerize($requestHeaders[$requestHeaderField]);
} else {
$requestedData = preg_split('/[\\s,]+/', $requestHeaders[$requestHeaderField], -1, PREG_SPLIT_NO_EMPTY);
$acceptedData = array_uintersect($requestedData, $this->cors[$requestHeaderField], 'strcasecmp');
if (!empty($acceptedData)) {
$responseHeaders[$responseHeaderField] = implode(', ', $acceptedData);
}
}
}
For each CORS headers create the specific response.
| public array prepareHeaders ( $requestHeaders ) | ||
| $requestHeaders | array |
CORS headers we have detected |
| return | array |
CORS headers ready to be sent |
|---|---|---|
public function prepareHeaders($requestHeaders)
{
$responseHeaders = [];
// handle Origin
if (isset($requestHeaders['Origin'], $this->cors['Origin'])) {
if (in_array($requestHeaders['Origin'], $this->cors['Origin'], true)) {
$responseHeaders['Access-Control-Allow-Origin'] = $requestHeaders['Origin'];
}
if (in_array('*', $this->cors['Origin'], true)) {
// Per CORS standard (https://fetch.spec.whatwg.org), wildcard origins shouldn't be used together with credentials
if (isset($this->cors['Access-Control-Allow-Credentials']) && $this->cors['Access-Control-Allow-Credentials']) {
if (YII_DEBUG) {
throw new InvalidConfigException("Allowing credentials for wildcard origins is insecure. Please specify more restrictive origins or set 'credentials' to false in your CORS configuration.");
} else {
Yii::error("Allowing credentials for wildcard origins is insecure. Please specify more restrictive origins or set 'credentials' to false in your CORS configuration.", __METHOD__);
}
} else {
$responseHeaders['Access-Control-Allow-Origin'] = '*';
}
}
}
$this->prepareAllowHeaders('Headers', $requestHeaders, $responseHeaders);
if (isset($requestHeaders['Access-Control-Request-Method'])) {
$responseHeaders['Access-Control-Allow-Methods'] = implode(', ', $this->cors['Access-Control-Request-Method']);
}
if (isset($this->cors['Access-Control-Allow-Credentials'])) {
$responseHeaders['Access-Control-Allow-Credentials'] = $this->cors['Access-Control-Allow-Credentials'] ? 'true' : 'false';
}
if (isset($this->cors['Access-Control-Max-Age']) && $this->request->getIsOptions()) {
$responseHeaders['Access-Control-Max-Age'] = $this->cors['Access-Control-Max-Age'];
}
if (isset($this->cors['Access-Control-Expose-Headers'])) {
$responseHeaders['Access-Control-Expose-Headers'] = implode(', ', $this->cors['Access-Control-Expose-Headers']);
}
if (isset($this->cors['Access-Control-Allow-Headers'])) {
$responseHeaders['Access-Control-Allow-Headers'] = implode(', ', $this->cors['Access-Control-Allow-Headers']);
}
return $responseHeaders;
}