Home » Php » php – Cross-Origin Request Blocked:

php – Cross-Origin Request Blocked:

Posted by: admin July 12, 2020 Leave a comment


I have a mobile app that uses an API to authenticate a user via a login form.

This has been working fine up-to today.. and now today when I attempt to login I get the following message in the console log:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://myapp.local/myAppApi/V1/appLogin. 
This can be fixed by moving the resource to the same domain or enabling CORS.

Obviously I need to enable CORS from reading the message, within my myApiController.php I have the following code within my Yii application that I believe should be doing this:

protected function _renderJSON($status = 200)
    $statusCodeMessage = $this->_getStatusCodeMessage($status);
    header("HTTP/1.1 {$status} {$statusCodeMessage}");

    // allow for Cross Origin Resource Sharing
    header("Access-Control-Allow-Origin: *");
    header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE");
    header("Access-Control-Allow-Headers: Authorization");
    header('Content-type: application/json');
    echo CJSON::encode($this->jsonArray);

    foreach (Yii::app()->log->routes as $route) {
        if ($route instanceof CWebLogRoute) {
            $route->enabled = false; // disable any weblogroutes

Could anyone assist on how I can fix this? The app is made with the cordova framework and the API it connects to works via an PHP app built using Yii.

Any advice would be appreciated

I have added the following to my htaccess to no joy however

<ifModule mod_headers.c>
 Header set Access-Control-Allow-Origin: *
 Header set Access-Control-Allow-Headers: Authorization
 Header set Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE

I’ve come across this link which looks useful

How to&Answers:

Try adding below code in API controller constructor, it works for me.

header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: PUT, GET, POST");
header("Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept");