php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #68614 $_SERVER['HTTP_ORIGIN'] not documented
Submitted: 2014-12-16 09:24 UTC Modified: 2016-06-17 11:36 UTC
Votes:8
Avg. Score:4.5 ± 0.7
Reproduced:7 of 8 (87.5%)
Same Version:4 (57.1%)
Same OS:5 (71.4%)
From: phpnet at fpierrat dot fr Assigned:
Status: Open Package: Documentation problem
PHP Version: Irrelevant OS: n/d
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2014-12-16 09:24 UTC] phpnet at fpierrat dot fr 
Description:
------------
Hi,

I couldn't find any piece oh information on php.net (french) about $_SERVER['HTTP_ORIGIN'].

I need it for some tests before sending an "Access-Control-Allow-Origin" header for cross-domain ajax requests:
Requests can be sent from different hosts, I must identify the sending host, check if allowed against an array of allowed domains, and if ok, send this header with the return to the request.

In particularly need information about following points: 
- when is this superglobal set? when is it NOT set? Do specific values exist (null, empty string?)?
- is it always reliable or client/browser dependant? 
- besides, some information about its content would be appreciated, but maybe it's http more than php documentation: is the subdomain, the protocol and/or the port important for the client to be able to get the ajax return? For instance, a request sent from a https://www.example.com hosted page and a header allowing http://example.com are they compatible?

Hereunder a little extract of code, to show how I need to use it. It works in my tests, but I'm not sure it's not problematic with other browsers...

Test script:
---------------
if(isset($_SERVER['HTTP_ORIGIN'])) {// in case of cross domain ajax call
    $http_origin = $_SERVER['HTTP_ORIGIN']; 
    if(in_array($http_origin, $ajaxAllowedDomains))
       { header("Access-Control-Allow-Origin: $http_origin"); }
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-16 19:52 UTC] aharvey@php.net
-Summary: $_SERVER['HTTP_ORIGIN'] not documented +Summary: [FR] $_SERVER['HTTP_ORIGIN'] not documented -Package: HTTP related +Package: Translation problem
 [2014-12-16 19:52 UTC] aharvey@php.net 
Tagging, although my guess is that this is just accounted for by whatever documentation French has for $_SERVER variables created by HTTP headers (like Origin).
 [2016-06-17 11:36 UTC] cmb@php.net
-Summary: [FR] $_SERVER['HTTP_ORIGIN'] not documented +Summary: $_SERVER['HTTP_ORIGIN'] not documented -Package: Translation problem +Package: Documentation problem
 [2016-06-17 11:36 UTC] cmb@php.net 
It appears to me that this is not a translation issue, as the
English docs do not explain HTTP_* in general either, but only
list some common cases.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 21:01:29 2024 UTC