Edit report at https://bugs.php.net/bug.php?id=64174&edit=1
ID: 64174
Updated by: tyr...@php.net
Reported by: php dot net at dzubak dot sk
Summary: AJAX request blocked for bad origin
Status: Assigned
Type: Bug
Package: Website problem
PHP Version: Irrelevant
Assigned To: googleguy
Block user comment: N
Private report: N
New Comment:
hm, on a second thought: we have a separate ip configured for the php.net
website,
and no other catch-all virtual host is configured, so a http request to that ip
would end up served by the php.net website, even if the Host header is bogus or
malicious, and I suppose that there are a couple of mirrors with similar setup,
so
we should validate the HTTP_HOST before using it.
Previous Comments:
------------------------------------------------------------------------
[2013-03-17 20:56:46] tyr...@php.net
'I had to keep the javascript relative to the host being used'
yeah, the problem is that we set a <base href="{$_SERVER['BASE_HREF']}" />
explicitly, where the BASE_HREF is set from the primary domain of the specific
mirror being used, so if a mirror is visited on non-primary host (which is
perfectly normal, like with our without www, or us.php.net vs us1.php.net) the
actual host and the host set via the base href will be different.
I think for now it would be safe to use the $_SERVER['HTTP_HOST'] and on the
long
run we should move everything to relative urls anyway.
------------------------------------------------------------------------
[2013-03-09 21:25:20] php dot net at dzubak dot sk
$_SERVER['HTTP_HOST'] is a user supplied header - yes, but webserver will show
PHP.net website only for valid $_SERVER['HTTP_HOST'] header.
In practice: it is user supplied and server filtered = safe.
------------------------------------------------------------------------
[2013-03-09 21:22:53] google...@php.net
$_SERVER['HTTP_HOST'] is a user supplied header and would be unreliable here.
The issue here is that php.net and www.php.net are the same thing in terms of
which server you're connecting to, but unfortunately they won't be seen as one
and
the same by your client UA. If infrastructure would have allowed for a better
solution I probably would have used it.
------------------------------------------------------------------------
[2013-03-09 21:08:18] php dot net at dzubak dot sk
Isnt it possible to have dynamic origin, based on $_SERVER['HTTP_HOST'] ?
------------------------------------------------------------------------
[2013-03-09 21:00:47] google...@php.net
Unfortunately, there's not much I can do about this as this works fine when
using the domain www.php.net, but will result in the aforementioned "not
allowed
by Access-Control-Allow-Origin" error when using the domain php.net. Since
php.net and www.php.net are seen as different hosts the javascript simply uses
whatever host is relative to the page you're on. For example, we have dozens of
mirrors like us.php.net, ca.php.net, uk.php.net, and since they all use
different domains I had to keep the javascript relative to the host being used.
This just means that when you visit http://php.net and not http://www.php.net
you get this problem.
I'm afraid I have no real solution to this problem and it's one we're just
going
to have to live with unless someone can come up with a better idea.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=64174
--
Edit this bug report at https://bugs.php.net/bug.php?id=64174&edit=1
--
PHP Webmaster List Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
