Add handleOptions to Cors filter so OPTIONS requests are handled for …

…the preflight check.
yiisoft · Aug 16, 2017 · 6a6d90c · 6a6d90c
1 parent 6424acf
commit 6a6d90c
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
@@ -6,6 +6,7 @@ Yii Framework 2 Change Log
 
 - New #14151: Added `AttributesBehavior` that assigns values specified to one or multiple attributes of an AR object when certain events happen (bscheshirwork)
 - Bug #6526: Fixed `yii\db\Command::batchInsert()` casting of double values correctly independent of the locale (cebe, leammas)
+- Chg #14618: Handle OPTIONS request in `yii\filter\Cors` so the preflight check isn't passed trough Authentication filters. (michaelarnauts)
 - Bug #14542: Ensured only ASCII characters are in CSRF cookie value since binary data causes issues with ModSecurity and some browsers (samdark)
 - Enh #14022: `yii\web\UrlManager::setBaseUrl()` now supports aliases (dmirogin)
 - Bug #14471: `ContentNegotiator` will always set one of the configured server response formats even if the client does not accept any of them (PowerGamer1)

diff --git a/framework/filters/Cors.php b/framework/filters/Cors.php
@@ -106,6 +106,12 @@ public function beforeAction($action)
         $responseCorsHeaders = $this->prepareHeaders($requestCorsHeaders);
         $this->addCorsHeaders($this->response, $responseCorsHeaders);
 
+        if ($this->request->isOptions && $this->request->headers->has('Access-Control-Request-Method')) {
+            // it is CORS preflight request, respond with 200 OK without further processing
+            $this->response->setStatusCode(200);
+            return false;
+        }
+
         return true;
     }