.htaccess

# WE CAN ALSO ENABLE CORS IN htaccess
# with AJAX withCredentials=false (cookies NOT sent)
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, PUT, OPTIONS, PATCH, DELETE"
Header always set Access-Control-Allow-Headers "X-Accept-Charset,X-Accept,Content-Type"
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]]

ApiController.php

// add this to your API controller in Yii

public function actionPreflight() {
    $content_type = 'application/json';
    $status = 200;
 
    // set the status
    $status_header = 'HTTP/1.1 ' . $status . ' ' . $this->_getStatusCodeMessage($status);
    header($status_header);
 
    header("Access-Control-Allow-Origin: *");
    header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE");
    header("Access-Control-Allow-Headers: Authorization");
    header('Content-type: ' . $content_type);
}

functionSendResponse.php

// Where ever the function "_sendResponse" is located
// add these lines, this will allow CORS


// Allows from any origin
// Allows a header called Authorization
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Headers: Authorization");

main.php

// REST CORS pattern
// A preflight request is basically an OPTIONS request to ask for permission to use cross-domain features.
// So we have add the proper verb in the url manager rules (config/main.php):

array('api/preflight', 'pattern'=>'api/*', 'verb'=>'OPTIONS'),