LLLLLLL Posted October 21, 2012 Share Posted October 21, 2012 What is the correct syntax for listing multiple domains to be allowed for cross-domain AJAX calls? My code does this: <?php header("Access-Control-Allow-Origin: http://website.com"); This works when website.com is the caller, but not when www.website.com is the caller. So I tried: <?php header("Access-Control-Allow-Origin: http://website.com http://www.website.com"); ... and... <?php header("Access-Control-Allow-Origin: http://website.com, http://www.website.com"); But these things don't work. When I say they don't work, I mean that neither website.com nor www.website.com will be able to make the call with those configurations. So right now the only option is to put * and allow everything. I don't want to do that. Is there another header directive or something that I need? I saw something about Access-Control-Allow-Headers: X-Requested-With but that didn't work either. Quote Link to comment Share on other sites More sharing options...
scootstah Posted October 21, 2012 Share Posted October 21, 2012 The idea is to use PHP (or whatever language) to look at the HTTP origin, and compare it against a list of allowed origins. If you have a match, you send the Access-Control-Allow-Origin header for that request. Quote Link to comment Share on other sites More sharing options...
LLLLLLL Posted October 21, 2012 Author Share Posted October 21, 2012 But how do I know the HTTP Origin? From what I undestand, $_SERVER[ 'HTTP_ORIGIN' ] isn't documented. Quote Link to comment Share on other sites More sharing options...
kicken Posted October 21, 2012 Share Posted October 21, 2012 Just because it isn't documented doesn't mean it isn't there. Do a print_r($_SERVER) and look. Generally all the headers sent in a request will get put into the $_SERVER array with a HTTP_ prefix. Quote Link to comment Share on other sites More sharing options...
LLLLLLL Posted October 21, 2012 Author Share Posted October 21, 2012 I don't have HTTP_ORIGIN in the requests. I've tested on my server and a couple customers. This won't work as a solution. So two questions: 1) What is the expected format to list domains? Comma-separated? Space-separated? Some server setting that determines the separation? It should work. 2) Can I put multiple headers like this? Is it expected and/or good practice? <?php header("Access-Control-Allow-Origin: http://website.com"); header("Access-Control-Allow-Origin: http://www.website.com"); Quote Link to comment Share on other sites More sharing options...
kicken Posted October 21, 2012 Share Posted October 21, 2012 The spec says space separated. Whether browsers allow it or not I don't know, I have not really dealt with such stuff yet. You should have the origin header value somewhere. It's a required header as part of the CORS stuff. If your using a CGI setup you may need to configure the server to forward that header along to PHP. Quote Link to comment Share on other sites More sharing options...
LLLLLLL Posted October 21, 2012 Author Share Posted October 21, 2012 Not a CGI server, and it's hard to know what all customers may have. I guess * is the only way to go. Quote Link to comment Share on other sites More sharing options...
damian1923 Posted November 15, 2012 Share Posted November 15, 2012 try this <?php $http_origin = $_SERVER['HTTP_ORIGIN']; if ($http_origin == "http://www.domain1.com" || $http_origin == "http://www.domain2.com" || $http_origin == "http://www.domain3.info") { header('Access-Control-Allow-Origin: *'); } ?> Quote Link to comment Share on other sites More sharing options...
LLLLLLL Posted November 15, 2012 Author Share Posted November 15, 2012 As mentioned above, not all servers have HTTP_ORIGIN enabled. Quote Link to comment Share on other sites More sharing options...
txmedic03 Posted November 20, 2012 Share Posted November 20, 2012 $_SERVER['HTTP_REFERER']; You can do something like a preg_match() to check your domains against the HTTP_REFERER and see if you want to send the extra header() to allow cross-domain ajax requests. I'm fairly sure the HTTP_REFERER will do what you are looking for in this case, but lack of sleep may have me convinced of things that aren't necessarily true. I may eventually implement something along these lines for my own purposes, so if it works or you find a better way, don't forget to drop back by here and let me know how it turns out. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.