Cross-Origin Request Headers CORS with PHP headers

Question

I have a simple PHP script that I am attempting a cross-domain CORS request    lt  php header  Access-Control-Allow-Origin       header  Access-Control-Allow-Headers             Yet I still get the error      Request header field X-Requested-With is not allowed by Access-Control-Allow-Headers   Anything I m missing

User · Answer

this should work  header  Access-Control-Allow-Origin       header  Access-Control-Allow-Headers  X-Requested-With  Content-Type  Origin  Cache-Control  Pragma  Authorization  Accept  Accept-Encoding

User · Answer

add this code in  htaccess  add custom authentication key s in header like app key auth key  etc   Header set Access-Control-Allow-Origin     Header set Access-Control-Allow-Headers   customKey1 customKey2  headers  Origin  X-Requested-With  Content-Type  Accept  Authorization

User · Answer

I ve simply managed to get dropzone and other plugin to work with this fix  angularjs   php backend    header  Access-Control-Allow-Origin            header  Access-Control-Allow-Credentials  true        header  Access-Control-Allow-Methods  GET  PUT  POST  DELETE  OPTIONS        header  Access-Control-Max-Age  1000        header  Access-Control-Allow-Headers  Origin  Content-Type  X-Auth-Token   Authorization      add this in your upload php or where you would send your request  for example if you have upload html and you need to attach the files to upload php  then copy and paste these 4 lines   Also if you re using CORS plugins addons in chrome mozilla be sure to toggle them more than one time in order for CORS to be enabled

User · Answer

This much code works down for me when using angular 4 as the client side and PHP as the server side   header  Access-Control-Allow-Origin

User · Answer

Many description internet-wide don t mention that specifying Access-Control-Allow-Origin is not enough  Here is a complete example that works for me    lt  php     if    SERVER  REQUEST METHOD        OPTIONS             header  Access-Control-Allow-Origin               header  Access-Control-Allow-Methods  POST  GET  DELETE  PUT  PATCH  OPTIONS            header  Access-Control-Allow-Headers  token  Content-Type            header  Access-Control-Max-Age  1728000            header  Content-Length  0            header  Content-Type  text plain            die               header  Access-Control-Allow-Origin           header  Content-Type  application json          ret              result    gt   OK              print json encode  ret

User · Answer

Handling CORS requests properly is a tad more involved   Here is a function that will respond more fully  and properly           An example CORS-compliant method   It will allow any GET  POST  or OPTIONS requests from any     origin         In a production environment  you probably want to be more restrictive  but this gives you     the general idea of what is involved   For the nitty-gritty low-down  read         - https   developer mozilla org en HTTP access control     - https   fetch spec whatwg org  http-cors-protocol        function cors                 Allow from any origin     if  isset   SERVER  HTTP ORIGIN                  Decide if the origin in   SERVER  HTTP ORIGIN   is one            you want to allow  and if so          header  quot Access-Control-Allow-Origin     SERVER  HTTP ORIGIN    quot            header  Access-Control-Allow-Credentials  true            header  Access-Control-Max-Age  86400          cache for 1 day                   Access-Control headers are received during OPTIONS requests     if    SERVER  REQUEST METHOD       OPTIONS                      if  isset   SERVER  HTTP ACCESS CONTROL REQUEST METHOD                    may also be using PUT  PATCH  HEAD etc             header  quot Access-Control-Allow-Methods  GET  POST  OPTIONS quot                              if  isset   SERVER  HTTP ACCESS CONTROL REQUEST HEADERS                 header  quot Access-Control-Allow-Headers     SERVER  HTTP ACCESS CONTROL REQUEST HEADERS    quot                 exit 0                  echo  quot You have CORS  quot      Security Notes When a browser wants to execute a cross-site request it first confirms that this is okay with a  quot pre-flight quot  request to the URL   By allowing CORS you are telling the browser that responses from this URL can be shared with other domains  CORS does not protect your server   CORS attempts to protect your users by telling browsers what the restrictions should be on sharing responses with other domains   Normally this kind of sharing is utterly forbidden  so CORS is a way to poke a hole in the browser s normal security policy   These holes should be as small as possible  so always check the HTTP ORIGIN against some kind of internal list  There are some dangers here  especially if the data the URL serves up is normally protected   You are effectively allowing browser content that originated on some other server to read  and possibly manipulate  data on your server  If you are going to use CORS  please read the protocol carefully  it is quite small  and try to understand what you re doing   A reference URL is given in the code sample for that purpose  Header security It has been observed that the HTTP ORIGIN header is insecure  and that is true   In fact  all HTTP headers are insecure to varying meanings of the term   Unless a header includes a verifiable signature hmac  or the whole conversation is authenticated via TLS  headers are just  quot something the browser has told me quot   In this case  the browser is saying  quot an object from domain X wants to get a response from this URL   Is that okay  quot   The point of CORS is to be able to answer   quot yes I ll allow that quot

User · Answer

CORS can become a headache  if we do not correctly understand its functioning  I use them in PHP and they work without problems  reference here  header  Access-Control-Allow-Origin       header  Access-Control-Allow-Credentials  true    header  Access-Control-Max-Age  1000    header  Access-Control-Allow-Headers  X-Requested-With  Content-Type  Origin  Cache-Control  Pragma  Authorization  Accept  Accept-Encoding    header  Access-Control-Allow-Methods  PUT  POST  GET  OPTIONS  DELETE

User · Answer

Access-Control-Allow-Headers does not allow   as accepted value  see the Mozilla Documentation here   Instead of the asterisk  you should send the accepted headers  first X-Requested-With as the error says

User · Answer

In Windows  paste this command in run window just for time being to test the code  chrome exe --user-data-dir  C  Chrome dev session  --disable-web-security

User · Answer

I got the same error  and fixed it with the following PHP in my back-end script   header  Access-Control-Allow-Origin        header  Access-Control-Allow-Methods  GET  POST     header  Access-Control-Allow-Headers  X-Requested-With

User · Answer

If you want to create a CORS service from PHP  you can use this code as the first step in your file that handles the requests      Allow from any origin if isset   SERVER  HTTP ORIGIN              You can decide if the origin in   SERVER  HTTP ORIGIN   is something you want to allow  or as we do here  just allow all     header  Access-Control-Allow-Origin     SERVER  HTTP ORIGIN         else         No HTTP ORIGIN set  so we allow any  You can disallow if needed here     header  Access-Control-Allow-Origin          header  Access-Control-Allow-Credentials  true    header  Access-Control-Max-Age  600          cache for 10 minutes  if   SERVER  REQUEST METHOD       OPTIONS         if  isset   SERVER  HTTP ACCESS CONTROL REQUEST METHOD             header  Access-Control-Allow-Methods  POST  GET  OPTIONS  DELETE  PUT      Make sure you remove those you do not want to support      if  isset   SERVER  HTTP ACCESS CONTROL REQUEST HEADERS             header  Access-Control-Allow-Headers     SERVER  HTTP ACCESS CONTROL REQUEST HEADERS              Just exit with 200 OK with the above headers for OPTIONS method     exit 0       From here  handle the request as it is ok

[php] Cross-Origin Request Headers(CORS) with PHP headers

Examples related to php

Examples related to javascript

Examples related to xmlhttprequest

Examples related to cors