PHP :: Doc Bug #68614 :: $_SERVER['HTTP

$_SERVER['HTTP_ORIGIN'] not documented

Submitted:

2014-12-16 09:24 UTC

Modified:

2016-06-17 11:36 UTC

Votes:	8
Avg. Score:	4.5 ± 0.7
Reproduced:	7 of 8 (87.5%)
Same Version:	4 (57.1%)
Same OS:	5 (71.4%)

From:

phpnet at fpierrat dot fr

Assigned:

Status:

Open

Package:

Documentation problem

PHP Version:

Irrelevant

OS:

n/d

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	phpnet at fpierrat dot fr
New email:
PHP Version:		OS:

New/Additional Comment:

[2014-12-16 09:24 UTC] phpnet at fpierrat dot fr

Description:
------------
Hi,

I couldn't find any piece oh information on php.net (french) about $_SERVER['HTTP_ORIGIN'].

I need it for some tests before sending an "Access-Control-Allow-Origin" header for cross-domain ajax requests:
Requests can be sent from different hosts, I must identify the sending host, check if allowed against an array of allowed domains, and if ok, send this header with the return to the request.

In particularly need information about following points: 
- when is this superglobal set? when is it NOT set? Do specific values exist (null, empty string?)?
- is it always reliable or client/browser dependant? 
- besides, some information about its content would be appreciated, but maybe it's http more than php documentation: is the subdomain, the protocol and/or the port important for the client to be able to get the ajax return? For instance, a request sent from a https://www.example.com hosted page and a header allowing http://example.com are they compatible?

Hereunder a little extract of code, to show how I need to use it. It works in my tests, but I'm not sure it's not problematic with other browsers...

Test script:
---------------
if(isset($_SERVER['HTTP_ORIGIN'])) {// in case of cross domain ajax call
    $http_origin = $_SERVER['HTTP_ORIGIN']; 
    if(in_array($http_origin, $ajaxAllowedDomains))
       { header("Access-Control-Allow-Origin: $http_origin"); }
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-12-16 19:52 UTC] aharvey@php.net

-Summary: $_SERVER['HTTP_ORIGIN'] not documented +Summary: [FR] $_SERVER['HTTP_ORIGIN'] not documented -Package: HTTP related +Package: Translation problem

[2014-12-16 19:52 UTC] aharvey@php.net

Tagging, although my guess is that this is just accounted for by whatever documentation French has for $_SERVER variables created by HTTP headers (like Origin).

[2016-06-17 11:36 UTC] cmb@php.net

-Summary: [FR] $_SERVER['HTTP_ORIGIN'] not documented +Summary: $_SERVER['HTTP_ORIGIN'] not documented -Package: Translation problem +Package: Documentation problem

[2016-06-17 11:36 UTC] cmb@php.net

It appears to me that this is not a translation issue, as the
English docs do not explain HTTP_* in general either, but only
list some common cases.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Mar 31 10:01:30 2025 UTC