assigning it to Sherif

Request URL:http://www.php.net/manual/vote-note.php?id=99646&page=memcached.sessions&vote=up
Request Method:POST
Status Code:200 OK

Request Headers
Accept:application/json, text/javascript, */*; q=0.01
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:0
Cookie:COUNTRY=ROM%2C79.119.87.98; LAST_LANG=en
Host:www.php.net
Origin:http://www.php.net
Referer:http://www.php.net/manual/en/memcached.sessions.php
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22
X-Json:On
X-Requested-With:XMLHttpRequest

Query String Parameters
id:99646
page:memcached.sessions
vote:up

Response Headers
Connection:close
Content-Encoding:gzip
Content-language:en
Content-Length:106
Content-Type:text/html; charset=utf-8
Date:Sat, 23 Feb 2013 13:46:04 GMT
Server:Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q PHP/5.4.11-dev
Vary:User-Agent,Accept-Encoding
X-Powered-By:PHP/5.4.11-dev

Response from the website:
{"success":false,"msg":"Unable to complete your request at this time. Please try again later..."}


Same thing happens when using Opera.

Unfortunately, there's not much I can do about this as this works fine when 
using the domain www.php.net, but will result in the aforementioned "not allowed 
by Access-Control-Allow-Origin" error when using the domain php.net. Since 
php.net  and www.php.net are seen as different hosts the javascript simply uses 
whatever host is relative to the page you're on. For example, we have dozens of 
mirrors like us.php.net, ca.php.net, uk.php.net, and since they all use 
different domains I had to keep the javascript relative to the host being used. 
This just means that when you visit http://php.net and not http://www.php.net 
you get this problem.

I'm afraid I have no real solution to this problem and it's one we're just going 
to have to live with unless someone can come up with a better idea.

Isnt it possible to have dynamic origin, based on $_SERVER['HTTP_HOST'] ?

$_SERVER['HTTP_HOST'] is a user supplied header and would be unreliable here.

The issue here is that php.net and www.php.net are the same thing in terms of 
which server you're connecting to, but unfortunately they won't be seen as one and 
the same by your client UA. If infrastructure would have allowed for a better 
solution I probably would have used it.

$_SERVER['HTTP_HOST'] is a user supplied header - yes, but webserver will show 
PHP.net website only for valid $_SERVER['HTTP_HOST'] header.

In practice: it is user supplied and server filtered = safe.

'I had to keep the javascript relative to the host being used'
yeah, the problem is that we set a <base href="{$_SERVER['BASE_HREF']}" /> 
explicitly, where the BASE_HREF is set from the primary domain of the specific 
mirror being used, so if a mirror is visited on non-primary host (which is 
perfectly normal, like with our without www, or us.php.net vs us1.php.net) the 
actual host and the host set via the base href will be different.
I think for now it would be safe to use the $_SERVER['HTTP_HOST'] and on the long 
run we should move everything to relative urls anyway.

hm, on a second thought: we have a separate ip configured for the php.net website, 
and no other catch-all virtual host is configured, so a http request to that ip 
would end up served by the php.net website, even if the Host header is bogus or 
malicious, and I suppose that there are a couple of mirrors with similar setup, so 
we should validate the HTTP_HOST before using it.

This was fixed few weeks ago