|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #68614 $_SERVER['HTTP_ORIGIN'] not documented
Submitted: 2014-12-16 09:24 UTC Modified: 2016-06-17 11:36 UTC
Avg. Score:4.5 ± 0.7
Reproduced:7 of 8 (87.5%)
Same Version:4 (57.1%)
Same OS:5 (71.4%)
From: phpnet at fpierrat dot fr Assigned:
Status: Open Package: Documentation problem
PHP Version: Irrelevant OS: n/d
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2014-12-16 09:24 UTC] phpnet at fpierrat dot fr

I couldn't find any piece oh information on (french) about $_SERVER['HTTP_ORIGIN'].

I need it for some tests before sending an "Access-Control-Allow-Origin" header for cross-domain ajax requests:
Requests can be sent from different hosts, I must identify the sending host, check if allowed against an array of allowed domains, and if ok, send this header with the return to the request.

In particularly need information about following points: 
- when is this superglobal set? when is it NOT set? Do specific values exist (null, empty string?)?
- is it always reliable or client/browser dependant? 
- besides, some information about its content would be appreciated, but maybe it's http more than php documentation: is the subdomain, the protocol and/or the port important for the client to be able to get the ajax return? For instance, a request sent from a hosted page and a header allowing are they compatible?

Hereunder a little extract of code, to show how I need to use it. It works in my tests, but I'm not sure it's not problematic with other browsers...

Test script:
if(isset($_SERVER['HTTP_ORIGIN'])) {// in case of cross domain ajax call
    $http_origin = $_SERVER['HTTP_ORIGIN']; 
    if(in_array($http_origin, $ajaxAllowedDomains))
       { header("Access-Control-Allow-Origin: $http_origin"); }


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-16 19:52 UTC]
-Summary: $_SERVER['HTTP_ORIGIN'] not documented +Summary: [FR] $_SERVER['HTTP_ORIGIN'] not documented -Package: HTTP related +Package: Translation problem
 [2014-12-16 19:52 UTC]
Tagging, although my guess is that this is just accounted for by whatever documentation French has for $_SERVER variables created by HTTP headers (like Origin).
 [2016-06-17 11:36 UTC]
-Summary: [FR] $_SERVER['HTTP_ORIGIN'] not documented +Summary: $_SERVER['HTTP_ORIGIN'] not documented -Package: Translation problem +Package: Documentation problem
 [2016-06-17 11:36 UTC]
It appears to me that this is not a translation issue, as the
English docs do not explain HTTP_* in general either, but only
list some common cases.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed May 29 07:01:34 2024 UTC