CORS not working with ActiveController

I have spent a few hours learning about Cross Origin Resource Sharing and implementing it into a Yii2 project but I am completely stumped.

I have a user controller that extends ActiveController in this RESTful application and set the behavior to look like this:




public function behaviors()

{

        $behaviors = parent::behaviors();

        $behaviors['corsFilter'] = [

                            'class' => Cors::className(),

                            'cors' => [

                                'Origin' => ['*', 'http://domain.web'],

                                'Access-Control-Request-Method' => ['POST', 'GET', 'HEAD', 'OPTIONS'],

                                'Access-Control-Request-Headers' => ['Expiry'],

                            ]

        ];


        return $behaviors;

}



I then have a registration form on another site that posts a request to the API like so:




        var url = 'http://domain.api/api/v1/user/register';


        $.ajax({

            type: "POST",

            beforeSend: function (request)

            {

                request.setRequestHeader("Expiry");

            },

            crossDomain: true,

            url: url,

            data: data,

            success: 'success',

            done: 'done(data)',

            dataType: 'json'

        });




I am receiving a 404 response which looks like this in the network debugger:




Remote Address:192.168.10.10:80

Request URL:http://domain.api/api/v1/user/register

Request Method:OPTIONS

Status Code:404 Not Found


Request Headers


Accept:*/*

Accept-Encoding:gzip, deflate, sdch

Accept-Language:en-US,en;q=0.8,en-AU;q=0.6

Access-Control-Request-Headers:access-control-allow-origin, accept, expiry, content-type

Access-Control-Request-Method:POST

Cache-Control:no-cache

Connection:keep-alive

Host:domain.api

Origin:http://domain.web

Pragma:no-cache

Referer:http://domain.web/session/register

User-Agent:some-agent


Response Headers


Connection:Keep-Alive

Content-Encoding:gzip

Content-Length:892

Content-Type:text/html; charset=UTF-8

Date:Tue, 31 Mar 2015 04:07:16 GMT

Keep-Alive:timeout=5, max=100

Server:Apache/2.2.22 (Debian)

Set-Cookie:_csrf=cDriOChtcdSfH4mFn2FYAOMr-QJZQ6hH; path=/; httponly

Vary:Accept-Encoding

X-Powered-By:PHP/5.4.39-0+deb7u2



And an error in the javascript console:




XMLHttpRequest cannot load http://domain.api/api/v1/user/register. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://domain.web' is therefore not allowed access. The response had HTTP status code 404.



I am looking for the response header of Access-Control-Allow-Origin: http://domain.api/ but it just isn’t there. Does anyone know what I’m doing wrong? I am completely out of ideas.