Edit report at https://bugs.php.net/bug.php?id=64174&edit=1
ID: 64174
Updated by: tyr...@php.net
Reported by: php dot net at dzubak dot sk
Summary: AJAX request blocked for bad origin
Status: Assigned
Type: Bug
Package: Website problem
PHP Version: Irrelevant
Assigned To: googleguy
Block user comment: N
Private report: N
New Comment:
'I had to keep the javascript relative to the host being used'
yeah, the problem is that we set a <base href="{$_SERVER['BASE_HREF']}" />
explicitly, where the BASE_HREF is set from the primary domain of the specific
mirror being used, so if a mirror is visited on non-primary host (which is
perfectly normal, like with our without www, or us.php.net vs us1.php.net) the
actual host and the host set via the base href will be different.
I think for now it would be safe to use the $_SERVER['HTTP_HOST'] and on the
long
run we should move everything to relative urls anyway.
Previous Comments:
------------------------------------------------------------------------
[2013-03-09 21:25:20] php dot net at dzubak dot sk
$_SERVER['HTTP_HOST'] is a user supplied header - yes, but webserver will show
PHP.net website only for valid $_SERVER['HTTP_HOST'] header.
In practice: it is user supplied and server filtered = safe.
------------------------------------------------------------------------
[2013-03-09 21:22:53] google...@php.net
$_SERVER['HTTP_HOST'] is a user supplied header and would be unreliable here.
The issue here is that php.net and www.php.net are the same thing in terms of
which server you're connecting to, but unfortunately they won't be seen as one
and
the same by your client UA. If infrastructure would have allowed for a better
solution I probably would have used it.
------------------------------------------------------------------------
[2013-03-09 21:08:18] php dot net at dzubak dot sk
Isnt it possible to have dynamic origin, based on $_SERVER['HTTP_HOST'] ?
------------------------------------------------------------------------
[2013-03-09 21:00:47] google...@php.net
Unfortunately, there's not much I can do about this as this works fine when
using the domain www.php.net, but will result in the aforementioned "not
allowed
by Access-Control-Allow-Origin" error when using the domain php.net. Since
php.net and www.php.net are seen as different hosts the javascript simply uses
whatever host is relative to the page you're on. For example, we have dozens of
mirrors like us.php.net, ca.php.net, uk.php.net, and since they all use
different domains I had to keep the javascript relative to the host being used.
This just means that when you visit http://php.net and not http://www.php.net
you get this problem.
I'm afraid I have no real solution to this problem and it's one we're just
going
to have to live with unless someone can come up with a better idea.
------------------------------------------------------------------------
[2013-02-23 13:46:29] florinpatan at gmail dot com
Request
URL:http://www.php.net/manual/vote-note.php?id=99646&page=memcached.sessions&vote=up
Request Method:POST
Status Code:200 OK
Request Headers
Accept:application/json, text/javascript, */*; q=0.01
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:0
Cookie:COUNTRY=ROM%2C79.119.87.98; LAST_LANG=en
Host:www.php.net
Origin:http://www.php.net
Referer:http://www.php.net/manual/en/memcached.sessions.php
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like
Gecko) Chrome/25.0.1364.97 Safari/537.22
X-Json:On
X-Requested-With:XMLHttpRequest
Query String Parameters
id:99646
page:memcached.sessions
vote:up
Response Headers
Connection:close
Content-Encoding:gzip
Content-language:en
Content-Length:106
Content-Type:text/html; charset=utf-8
Date:Sat, 23 Feb 2013 13:46:04 GMT
Server:Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q PHP/5.4.11-dev
Vary:User-Agent,Accept-Encoding
X-Powered-By:PHP/5.4.11-dev
Response from the website:
{"success":false,"msg":"Unable to complete your request at this time. Please
try again later..."}
Same thing happens when using Opera.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=64174
--
Edit this bug report at https://bugs.php.net/bug.php?id=64174&edit=1
--
PHP Webmaster List Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
