CORS error appears with ActiveController actions ( index,view, update, delete ) & no errors with my custom action


if I used (works fine with ‘GET’, ‘POST’, ‘UPDATE’ and ‘DELETE’ methods)

(with this configuration in urlManager [‘class’ => ‘yii\rest\UrlRule’, ‘controller’ => ‘branches’], )

if I used (CORS error & work fine using postman) (CORS error & work fine using postman) (CORS error & work fine using postman) (CORS error & work fine using postman)

(I don’t want to add a rule to urlManager for every controller )

while if I used (works fine)

This is my controller:

class BranchesController extends ActiveController
public $modelClass = Branches::class;
public function behaviors()
$behaviors = parent::behaviors();
$behaviors[‘authenticator’] = [‘class’ => HttpBearerAuth::class];
$auth = $behaviors[‘authenticator’];
$behaviors[‘corsFilter’] = [‘class’ => \yii\filters\Cors::class];
$behaviors[‘authenticator’] = $auth;
$behaviors[‘authenticator’][‘except’] = [‘options’];
return $behaviors;
public function actionTest()
return ‘any thing’;

BTW I am using vuejs as a frontend
any suggestions?

I’m not sure if I understand correctly. Are you using and so on directly? With REST apps it should not be called like that, use HTTP methods only. But it’s strange that CORS filter doesn’t work in that case. I have never used it though.

@Bizley Actually, I am still on my local server. using HTTPS or HTTP has no effect on CORS policy, it works on postman and also my custom action works fine ( actionTest() in the above controller in the frontend).

Yes, I’m referring to .../index, .../create, ad so on, not working properly with CORS. That is weird (to me).

In this case, CORS filters work for actions that are already in the controller (like actionTest()). I think I have to send CORS header in every request using beforeAction

‘on beforeAction’ => function ($event) {
// send CORS headers here

Can you kindly guide me on how to do this?

That’s the thing - it should be done with this filter already here. But it makes me wonder because addCorsHeaders() there adds headers only when there are some in the first place, maybe this is the reason. Could you check it on your app?

Thanks for your time and for helping me.
I didn’t understand what you meant by the word “first place” and what to check.
the file Cors.php is completely identical to mine.
can you take a look at this
I want to try to add CORS header in ‘on beforeAction’, but I don’t know how. Can you help?

Debug your app and see if by the time the $this->addCorsHeaders($this->response, $responseCorsHeaders); is called in that filter, there are any headers already registered.

Finally, I found that I have to declare the verbs() function in my controller, even if it’s empty.
Like this

protected function verbs()