I have been wrestling with Cross Origin Resource Sharing for an API that I’m building. I have some actions to work but it fails where I require auth. The request is authenticated by sending a custom token in the header. I’ve read as much as I can find and found that the browser will send the request by the OPTIONS method first to see if the cross origin request is allowed, and then after success try as again with the original method (GET or POST). However the browser won’t send any custom headers with the OPTIONS method, preventing authentication and returning a 401.
I have tried setting Access-Control-Allow-Credentials to true but I can’t see how this would help as the browser has already failed to send the header token to get this far.
How can this be overcome in Yii?
EDIT: Ideally, on the OPTIONS request I would prefer to just reply with the CORS headers rather than trying to process the authentication and complete action.