Cross-Origin Request Headers(CORS) with PHP headers

by

Handling CORS requests properly is a tad more involved. Here is a function that will respond more fully (and properly).

/**
 *  An example CORS-compliant method.  It will allow any GET, POST, or OPTIONS requests from any
 *  origin.
 *
 *  In a production environment, you probably want to be more restrictive, but this gives you
 *  the general idea of what is involved.  For the nitty-gritty low-down, read:
 *
 *  - https://developer.mozilla.org/en/HTTP_access_control
 *  - https://fetch.spec.whatwg.org/#http-cors-protocol
 *
 */
function cors() {
    
    // Allow from any origin
    if (isset($_SERVER['HTTP_ORIGIN'])) {
        // Decide if the origin in $_SERVER['HTTP_ORIGIN'] is one
        // you want to allow, and if so:
        header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
        header('Access-Control-Allow-Credentials: true');
        header('Access-Control-Max-Age: 86400');    // cache for 1 day
    }
    
    // Access-Control headers are received during OPTIONS requests
    if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
        
        if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
            // may also be using PUT, PATCH, HEAD etc
            header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
        
        if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
            header("Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");
    
        exit(0);
    }
    
    echo "You have CORS!";
}

Security Notes

Check the HTTP_ORIGIN header against a list of approved origins.

If the origin isn’t approved, then you should deny the request.

Please read the spec.

TL;DR

When a browser wants to execute a cross-site request it first confirms that this is okay with a “pre-flight” request to the URL. By allowing CORS you are telling the browser that responses from this URL can be shared with other domains.

CORS does not protect your server. CORS attempts to protect your users by telling browsers what the restrictions should be on sharing responses with other domains. Normally this kind of sharing is utterly forbidden, so CORS is a way to poke a hole in the browser’s normal security policy. These holes should be as small as possible, so always check the HTTP_ORIGIN against some kind of internal list.

There are some dangers here, especially if the data the URL serves up is normally protected. You are effectively allowing browser content that originated on some other server to read (and possibly manipulate) data on your server.

If you are going to use CORS, please read the protocol carefully (it is quite small) and try to understand what you’re doing. A reference URL is given in the code sample for that purpose.

Header security

It has been observed that the HTTP_ORIGIN header is insecure, and that is true. In fact, all HTTP headers are insecure to varying meanings of the term. Unless a header includes a verifiable signature/hmac, or the whole conversation is authenticated via TLS, headers are just “something the browser has told me”.

In this case, the browser is saying “an object from domain X wants to get a response from this URL. Is that okay?” The point of CORS is to be able to answer, “yes I’ll allow that”.

More Related Contents:

  1. Submit a form using Shift + Enter [duplicate]
  2. How is this not passing PHP values to JS and vice-versa?
  3. Origin is not allowed by Access-Control-Allow-Origin
  4. Download file through an ajax call php
  5. A CORS POST request works from plain JavaScript, but why not with jQuery?
  6. Returning JSON from PHP to JavaScript?
  7. file_get_contents(“php://input”) or $HTTP_RAW_POST_DATA, which one is better to get the body of JSON request?
  8. AngularJS: No “Access-Control-Allow-Origin” header is present on the requested resource [duplicate]
  9. How to prevent the “Confirm Form Resubmission” dialog?
  10. int((0.1+0.7)*10) = 7 in several languages. How to prevent this?
  11. Passing PHP variable into JavaScript [duplicate]
  12. Jquery – Uncaught TypeError: Cannot use ‘in’ operator to search for ‘324’ in
  13. How can we open a link in private browsing mode
  14. How does similar_text work?
  15. Automatically detect user’s current local time with JavaScript or PHP
  16. Pass data from jQuery to PHP for an ajax post
  17. Whats the easiest way to determine if a user is online? (PHP/MYSQL)
  18. Laravel 5.2 CORS, GET not working with preflight OPTIONS
  19. Javascript function post and call php script
  20. Unserialize PHP Array in Javascript
  21. onbeforeprint() and onafterprint() equivalent for non IE browsers
  22. How to rotate image and save the image
  23. Go Back to Previous Page
  24. Converting Javascript Regex to PHP
  25. Is there a function similar to setTimeout() (JavaScript) for PHP?
  26. How to keep form values after post [duplicate]
  27. Detect Ajax calling URL
  28. passing php string with multiple lines to a javascript function/variable
  29. How to assign Php variable value to Javascript variable? [duplicate]
  30. CORS: PHP: Response to preflight request doesn’t pass. Am allowing origin

Leave a Comment