I have spent a few hours learning about Cross Origin Resource Sharing and implementing it into a Yii2 project but I am completely stumped.
I have a user controller that extends ActiveController in this RESTful application and set the behavior to look like this:
public function behaviors()
{
$behaviors = parent::behaviors();
$behaviors['corsFilter'] = [
'class' => Cors::className(),
'cors' => [
'Origin' => ['*', 'http://domain.web'],
'Access-Control-Request-Method' => ['POST', 'GET', 'HEAD', 'OPTIONS'],
'Access-Control-Request-Headers' => ['Expiry'],
]
];
return $behaviors;
}
I then have a registration form on another site that posts a request to the API like so:
var url = 'http://domain.api/api/v1/user/register';
$.ajax({
type: "POST",
beforeSend: function (request)
{
request.setRequestHeader("Expiry");
},
crossDomain: true,
url: url,
data: data,
success: 'success',
done: 'done(data)',
dataType: 'json'
});
I am receiving a 404 response which looks like this in the network debugger:
Remote Address:192.168.10.10:80
Request URL:http://domain.api/api/v1/user/register
Request Method:OPTIONS
Status Code:404 Not Found
Request Headers
Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8,en-AU;q=0.6
Access-Control-Request-Headers:access-control-allow-origin, accept, expiry, content-type
Access-Control-Request-Method:POST
Cache-Control:no-cache
Connection:keep-alive
Host:domain.api
Origin:http://domain.web
Pragma:no-cache
Referer:http://domain.web/session/register
User-Agent:some-agent
Response Headers
Connection:Keep-Alive
Content-Encoding:gzip
Content-Length:892
Content-Type:text/html; charset=UTF-8
Date:Tue, 31 Mar 2015 04:07:16 GMT
Keep-Alive:timeout=5, max=100
Server:Apache/2.2.22 (Debian)
Set-Cookie:_csrf=cDriOChtcdSfH4mFn2FYAOMr-QJZQ6hH; path=/; httponly
Vary:Accept-Encoding
X-Powered-By:PHP/5.4.39-0+deb7u2
And an error in the javascript console:
XMLHttpRequest cannot load http://domain.api/api/v1/user/register. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://domain.web' is therefore not allowed access. The response had HTTP status code 404.
I am looking for the response header of Access-Control-Allow-Origin: http://domain.api/ but it just isn’t there. Does anyone know what I’m doing wrong? I am completely out of ideas.