php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #68614 $_SERVER['HTTP_ORIGIN'] not documented
Submitted: 2014-12-16 09:24 UTC Modified: 2016-06-17 11:36 UTC
Votes:8
Avg. Score:4.5 ± 0.7
Reproduced:7 of 8 (87.5%)
Same Version:4 (57.1%)
Same OS:5 (71.4%)
From: phpnet at fpierrat dot fr Assigned:
Status: Open Package: Documentation problem
PHP Version: Irrelevant OS: n/d
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: phpnet at fpierrat dot fr
New email:
PHP Version: OS:

 

 [2014-12-16 09:24 UTC] phpnet at fpierrat dot fr
Description:
------------
Hi,

I couldn't find any piece oh information on php.net (french) about $_SERVER['HTTP_ORIGIN'].

I need it for some tests before sending an "Access-Control-Allow-Origin" header for cross-domain ajax requests:
Requests can be sent from different hosts, I must identify the sending host, check if allowed against an array of allowed domains, and if ok, send this header with the return to the request.

In particularly need information about following points: 
- when is this superglobal set? when is it NOT set? Do specific values exist (null, empty string?)?
- is it always reliable or client/browser dependant? 
- besides, some information about its content would be appreciated, but maybe it's http more than php documentation: is the subdomain, the protocol and/or the port important for the client to be able to get the ajax return? For instance, a request sent from a https://www.example.com hosted page and a header allowing http://example.com are they compatible?

Hereunder a little extract of code, to show how I need to use it. It works in my tests, but I'm not sure it's not problematic with other browsers...

Test script:
---------------
if(isset($_SERVER['HTTP_ORIGIN'])) {// in case of cross domain ajax call
    $http_origin = $_SERVER['HTTP_ORIGIN']; 
    if(in_array($http_origin, $ajaxAllowedDomains))
       { header("Access-Control-Allow-Origin: $http_origin"); }
}


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-16 19:52 UTC] aharvey@php.net
-Summary: $_SERVER['HTTP_ORIGIN'] not documented +Summary: [FR] $_SERVER['HTTP_ORIGIN'] not documented -Package: HTTP related +Package: Translation problem
 [2014-12-16 19:52 UTC] aharvey@php.net
Tagging, although my guess is that this is just accounted for by whatever documentation French has for $_SERVER variables created by HTTP headers (like Origin).
 [2016-06-17 11:36 UTC] cmb@php.net
-Summary: [FR] $_SERVER['HTTP_ORIGIN'] not documented +Summary: $_SERVER['HTTP_ORIGIN'] not documented -Package: Translation problem +Package: Documentation problem
 [2016-06-17 11:36 UTC] cmb@php.net
It appears to me that this is not a translation issue, as the
English docs do not explain HTTP_* in general either, but only
list some common cases.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 20:01:28 2024 UTC