Mixing
Yii2 CORS filters allow only specific origin domains fails
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
1
I have the following in my behaviors
public function behaviors()
{
$behaviors = parent::behaviors();
$auth = $behaviors['authenticator'] = [
'class' => CompositeAuth::className(),
'authMethods' => [
HttpBearerAuth::className(),
QueryParamAuth::className(),
],
'except' => ['login', 'check-token-validity', 'test-accounts'],
];
unset($behaviors['authenticator']);
$behaviors['corsFilter'] = [
'class' => Cors::className(),
'cors' => [
// 'Origin' => ['*'],
'Access-Control-Allow-Credentials' => true,
'Origin' => static::allowedDomains(),
'Access-Control-Request-Method' => ['POST', 'PUT'],
'Access-Control-Expose-Headers' => ['Access_status_code'],
],
];
$behaviors['verbs'] = [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['POST', 'OPTIONS'],
],
];
$behaviors['authenticator'] = $auth;
//access
return $behaviors;
}
public static function allowedDomains()
{
return [
'http://test1.example.com',
'http://test2.example.com',
];
}
As from the above, I have set origin as the above static domains but when I checked on my ajax request response I found out that the response header origin is set as Access-Control-Allow-Origin: *
Also, I haven't been able to restrict access methods despite setting Access-Control-Request-Method
What else do I need to add for this to work?
php yii2 cors
edited Jan 3 at 19:00
Muhammad Omer Aslam
13.6k72548
asked Jan 3 at 2:41
GEOFFREY MWANGIGEOFFREY MWANGI
66953095
add a comment |
1
I have the following in my behaviors
public function behaviors()
{
$behaviors = parent::behaviors();
$auth = $behaviors['authenticator'] = [
'class' => CompositeAuth::className(),
'authMethods' => [
HttpBearerAuth::className(),
QueryParamAuth::className(),
],
'except' => ['login', 'check-token-validity', 'test-accounts'],
];
unset($behaviors['authenticator']);
$behaviors['corsFilter'] = [
'class' => Cors::className(),
'cors' => [
// 'Origin' => ['*'],
'Access-Control-Allow-Credentials' => true,
'Origin' => static::allowedDomains(),
'Access-Control-Request-Method' => ['POST', 'PUT'],
'Access-Control-Expose-Headers' => ['Access_status_code'],
],
];
$behaviors['verbs'] = [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['POST', 'OPTIONS'],
],
];
$behaviors['authenticator'] = $auth;
//access
return $behaviors;
}
public static function allowedDomains()
{
return [
'http://test1.example.com',
'http://test2.example.com',
];
}
As from the above, I have set origin as the above static domains but when I checked on my ajax request response I found out that the response header origin is set as Access-Control-Allow-Origin: *
Also, I haven't been able to restrict access methods despite setting Access-Control-Request-Method
What else do I need to add for this to work?
php yii2 cors
edited Jan 3 at 19:00
Muhammad Omer Aslam
13.6k72548
asked Jan 3 at 2:41
GEOFFREY MWANGIGEOFFREY MWANGI
66953095
Does the response still haveAccess-Control-Allow-Origin: *if you send a request withOrigin: http://not.on.the.white.list/?
– Quentin
Jan 3 at 19:04
Yes the respose still has Access-Control-Allow-Origin: * even when the origin is not on the whitelisted domain
– GEOFFREY MWANGI
Jan 4 at 9:16
How do you send ajax?
– SiZE
Jan 5 at 14:52
add a comment |
1
1
1
I have the following in my behaviors
public function behaviors()
{
$behaviors = parent::behaviors();
$auth = $behaviors['authenticator'] = [
'class' => CompositeAuth::className(),
'authMethods' => [
HttpBearerAuth::className(),
QueryParamAuth::className(),
],
'except' => ['login', 'check-token-validity', 'test-accounts'],
];
unset($behaviors['authenticator']);
$behaviors['corsFilter'] = [
'class' => Cors::className(),
'cors' => [
// 'Origin' => ['*'],
'Access-Control-Allow-Credentials' => true,
'Origin' => static::allowedDomains(),
'Access-Control-Request-Method' => ['POST', 'PUT'],
'Access-Control-Expose-Headers' => ['Access_status_code'],
],
];
$behaviors['verbs'] = [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['POST', 'OPTIONS'],
],
];
$behaviors['authenticator'] = $auth;
//access
return $behaviors;
}
public static function allowedDomains()
{
return [
'http://test1.example.com',
'http://test2.example.com',
];
}
As from the above, I have set origin as the above static domains but when I checked on my ajax request response I found out that the response header origin is set as Access-Control-Allow-Origin: *
Also, I haven't been able to restrict access methods despite setting Access-Control-Request-Method
What else do I need to add for this to work?
php yii2 cors
edited Jan 3 at 19:00
Muhammad Omer Aslam
13.6k72548
asked Jan 3 at 2:41
GEOFFREY MWANGIGEOFFREY MWANGI
66953095
I have the following in my behaviors
public function behaviors()
{
$behaviors = parent::behaviors();
$auth = $behaviors['authenticator'] = [
'class' => CompositeAuth::className(),
'authMethods' => [
HttpBearerAuth::className(),
QueryParamAuth::className(),
],
'except' => ['login', 'check-token-validity', 'test-accounts'],
];
unset($behaviors['authenticator']);
$behaviors['corsFilter'] = [
'class' => Cors::className(),
'cors' => [
// 'Origin' => ['*'],
'Access-Control-Allow-Credentials' => true,
'Origin' => static::allowedDomains(),
'Access-Control-Request-Method' => ['POST', 'PUT'],
'Access-Control-Expose-Headers' => ['Access_status_code'],
],
];
$behaviors['verbs'] = [
'class' => VerbFilter::className(),
'actions' => [
'delete' => ['POST', 'OPTIONS'],
],
];
$behaviors['authenticator'] = $auth;
//access
return $behaviors;
}
public static function allowedDomains()
{
return [
'http://test1.example.com',
'http://test2.example.com',
];
}
As from the above, I have set origin as the above static domains but when I checked on my ajax request response I found out that the response header origin is set as Access-Control-Allow-Origin: *
Also, I haven't been able to restrict access methods despite setting Access-Control-Request-Method
What else do I need to add for this to work?
php yii2 cors
php yii2 cors
edited Jan 3 at 19:00
Muhammad Omer Aslam
13.6k72548
asked Jan 3 at 2:41
GEOFFREY MWANGIGEOFFREY MWANGI
66953095
edited Jan 3 at 19:00
Muhammad Omer Aslam
13.6k72548
asked Jan 3 at 2:41
GEOFFREY MWANGIGEOFFREY MWANGI
66953095
edited Jan 3 at 19:00
Muhammad Omer Aslam
13.6k72548
edited Jan 3 at 19:00
Muhammad Omer Aslam
13.6k72548
edited Jan 3 at 19:00
Muhammad Omer Aslam
13.6k72548
13.6k72548
asked Jan 3 at 2:41
GEOFFREY MWANGIGEOFFREY MWANGI
66953095
asked Jan 3 at 2:41
GEOFFREY MWANGIGEOFFREY MWANGI
66953095
asked Jan 3 at 2:41
GEOFFREY MWANGIGEOFFREY MWANGI
66953095
66953095
Does the response still haveAccess-Control-Allow-Origin: *if you send a request withOrigin: http://not.on.the.white.list/?
– Quentin
Jan 3 at 19:04
Yes the respose still has Access-Control-Allow-Origin: * even when the origin is not on the whitelisted domain
– GEOFFREY MWANGI
Jan 4 at 9:16
How do you send ajax?
– SiZE
Jan 5 at 14:52
add a comment |
Does the response still haveAccess-Control-Allow-Origin: *if you send a request withOrigin: http://not.on.the.white.list/?
– Quentin
Jan 3 at 19:04
Yes the respose still has Access-Control-Allow-Origin: * even when the origin is not on the whitelisted domain
– GEOFFREY MWANGI
Jan 4 at 9:16
How do you send ajax?
– SiZE
Jan 5 at 14:52
Does the response still have
Access-Control-Allow-Origin: * if you send a request with Origin: http://not.on.the.white.list/?– Quentin
Jan 3 at 19:04
Does the response still have
Access-Control-Allow-Origin: * if you send a request with Origin: http://not.on.the.white.list/?– Quentin
Jan 3 at 19:04
Yes the respose still has Access-Control-Allow-Origin: * even when the origin is not on the whitelisted domain
– GEOFFREY MWANGI
Jan 4 at 9:16
Yes the respose still has Access-Control-Allow-Origin: * even when the origin is not on the whitelisted domain
– GEOFFREY MWANGI
Jan 4 at 9:16
How do you send ajax?
– SiZE
Jan 5 at 14:52
How do you send ajax?
– SiZE
Jan 5 at 14:52
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54015663%2fyii2-cors-filters-allow-only-specific-origin-domains-fails%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
draft saved
draft discarded
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54015663%2fyii2-cors-filters-allow-only-specific-origin-domains-fails%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Does the response still have
Access-Control-Allow-Origin: *if you send a request withOrigin: http://not.on.the.white.list/?– Quentin
Jan 3 at 19:04
Yes the respose still has Access-Control-Allow-Origin: * even when the origin is not on the whitelisted domain
– GEOFFREY MWANGI
Jan 4 at 9:16
How do you send ajax?
– SiZE
Jan 5 at 14:52