php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74126 Ajax SSL php.net -> secure.php.net preflight redirect
Submitted: 2017-02-19 08:07 UTC Modified: 2018-08-18 15:21 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: alexhacker64 at gmail dot com Assigned:
Status: Open Package: Website problem
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-02-19 08:07 UTC] alexhacker64 at gmail dot com
Description:
------------
https://secure.php.net does ajax requests to https://php.net including, but not limited to:

https://php.net/js/search-index.php?lang=...
https://php.net/manual/vote-note.php?id=...&page=...&vote=up
https://php.net/manual/vote-note.php?id=...&page=...&vote=down

which in preflight (OPTIONS) return redirect to corresponding https://secure.php.net/... addresses, which causes the following errors in browser:

XMLHttpRequest cannot load https://php.net/.... Response for preflight is invalid (redirect)

Tested in latest Chrome and Firefox browsers.

Expected result:
----------------
Voting up and down on https://secure.php.net/ works, "dynamic" search works.

Actual result:
--------------
Voting up and down causes "Something went wrong :(" with described error in dev console, search does something only after submitting the query.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-08-18 15:21 UTC] pollita@php.net
I'm struggling to find any instance of XMLHttpRequest anywhere in the site's codebase.  Could you reference a specific page this happens on, perhaps with reproduce steps?

It's also possible someone's removed the XHR usage since this bug was originally posted.
 [2018-08-20 08:35 UTC] vrana@php.net
The AJAX request is at https://github.com/php/web-php/blob/c68a31e5/js/search.js#L263. The URL is domain-less but there's <base href> set at https://github.com/php/web-php/blob/8014ec80/include/header.inc#L105 Which sets it to https://php.net at https://secure.php.net.
 [2018-08-20 09:08 UTC] vrana@php.net
There's no mirror for secure.php.net at https://master.php.net/manage/mirrors.php but there's a mirror for php.net which runs at the same host as secure.php.net. I'm not sure how but it seems that the script decides to use php.net as the mirror (maybe at https://github.com/php/web-php/blob/c68a31e5/include/site.inc#L531?).

We can try to add mirror secure.php.net but I'm scared to break something else. We can also special case it in the code.
 [2019-05-20 12:14 UTC] petk@php.net
I've requested to do a redirection to main canonical URL instead here https://bugs.php.net/bug.php?id=78040

Once that gets done, this will be resolved with a simple redirection before user even enters the secure.php.net documentation site.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Dec 08 12:01:24 2019 UTC