Added check for HTTP_ORIGIN index (fix #1) #2
Conversation
There was a problem hiding this comment.
This will throw CORS errors even when the origin is correct, but HTTP_ORIGIN is not set. The best thing to do here will be to check if HTTP_ORIGIN is set, and find another way to set the $origin variable.
Something like
$origin = $_SERVER['HTTP_ORIGIN'] ?? 'GET ORIGIN HERE'; // L 129
mychidarko
added
bug
|
Hi, Looking in Google Chrome developer tools, there does not appear to be an Origin header sent. This is an old answer from stack overflow https://stackoverflow.com/questions/15512331/chrome-adding-origin-header-to-same-origin-request I'm still researching this some, but it looks like same-origin requests might not be required to send Origin header & might be why HTTP_ORIGIN is not populated. If HTTP_ORIGIN is always populated when cross-origin requests occur than the original commit of returning false & skipping the Allow-Origin header in the response maybe fine?
|
|
Oh yeah. That's true, but in cases like yours, you'll get errors if you simply return false. |
|
Perhaps using $_SERVER['HTTP_HOST'] when $_SERVER['HTTP_ORIGIN'] is not found? |
|
Yes, thanks |
|
Thanks for the PR |
Description
Added an if statement to the top of function isOriginAllowed to check if the HTTP_ORIGIN index was set in $_SERVER and return false if it is not found
This change prevents a notice exception from being thrown when $_SERVER['HTTP_ORIGIN'] does not exist and allows a user to view the resource
This is not a breaking change because if $_SERVER['HTTP_ORIGIN'] is set, it would continue the rest of the flow inside function isOriginAllowed
Related Issue
#1 ErrorException thrown with message "Undefined index: HTTP_ORIGIN"
After creating a default leaf mvc project, then attempting to view the project the user receives a notice exception.