php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #68614 $_SERVER['HTTP_ORIGIN'] not documented
Submitted: 2014-12-16 09:24 UTC Modified: 2016-06-17 11:36 UTC
Votes:8
Avg. Score:4.5 ± 0.7
Reproduced:7 of 8 (87.5%)
Same Version:4 (57.1%)
Same OS:5 (71.4%)
From: phpnet at fpierrat dot fr Assigned:
Status: Open Package: Documentation problem
PHP Version: Irrelevant OS: n/d
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
40 - 6 = ?
Subscribe to this entry?

 
 [2014-12-16 09:24 UTC] phpnet at fpierrat dot fr
Description:
------------
Hi,

I couldn't find any piece oh information on php.net (french) about $_SERVER['HTTP_ORIGIN'].

I need it for some tests before sending an "Access-Control-Allow-Origin" header for cross-domain ajax requests:
Requests can be sent from different hosts, I must identify the sending host, check if allowed against an array of allowed domains, and if ok, send this header with the return to the request.

In particularly need information about following points: 
- when is this superglobal set? when is it NOT set? Do specific values exist (null, empty string?)?
- is it always reliable or client/browser dependant? 
- besides, some information about its content would be appreciated, but maybe it's http more than php documentation: is the subdomain, the protocol and/or the port important for the client to be able to get the ajax return? For instance, a request sent from a https://www.example.com hosted page and a header allowing http://example.com are they compatible?

Hereunder a little extract of code, to show how I need to use it. It works in my tests, but I'm not sure it's not problematic with other browsers...

Test script:
---------------
if(isset($_SERVER['HTTP_ORIGIN'])) {// in case of cross domain ajax call
    $http_origin = $_SERVER['HTTP_ORIGIN']; 
    if(in_array($http_origin, $ajaxAllowedDomains))
       { header("Access-Control-Allow-Origin: $http_origin"); }
}


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-16 19:52 UTC] aharvey@php.net
-Summary: $_SERVER['HTTP_ORIGIN'] not documented +Summary: [FR] $_SERVER['HTTP_ORIGIN'] not documented -Package: HTTP related +Package: Translation problem
 [2014-12-16 19:52 UTC] aharvey@php.net
Tagging, although my guess is that this is just accounted for by whatever documentation French has for $_SERVER variables created by HTTP headers (like Origin).
 [2016-06-17 11:36 UTC] cmb@php.net
-Summary: [FR] $_SERVER['HTTP_ORIGIN'] not documented +Summary: $_SERVER['HTTP_ORIGIN'] not documented -Package: Translation problem +Package: Documentation problem
 [2016-06-17 11:36 UTC] cmb@php.net
It appears to me that this is not a translation issue, as the
English docs do not explain HTTP_* in general either, but only
list some common cases.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 10:01:28 2024 UTC