On Wed, Dec 11, 2013 at 12:26 AM, Sherif Ramadan <[email protected]>wrote:
> > > > On Tue, Dec 10, 2013 at 8:33 PM, Hannes Magnusson < > [email protected]> wrote: > >> On Tue, Dec 10, 2013 at 2:48 PM, Hannes Magnusson >> <[email protected]> wrote: >> > On Tue, Dec 10, 2013 at 2:41 PM, Sherif Ramadan < >> [email protected]> wrote: >> >> >> >> >> >> >> >> On Tue, Dec 10, 2013 at 5:30 PM, Hannes Magnusson >> >> <[email protected]> wrote: >> >>> >> >>> On Tue, Dec 10, 2013 at 1:55 PM, Sherif Ramadan <[email protected]> >> wrote: >> >>> > Commit: 540872824575ecfcdf42511a7784ccbd1d3f4e13 >> >>> > Author: Sherif Ramadan <[email protected]> Tue, 10 Dec >> 2013 >> >>> > 16:55:48 -0500 >> >>> > Parents: 92aa114f859b695b82743feba122a3b27a6925a7 >> >>> > Branches: master >> >>> > >> >>> > Link: >> >>> > >> http://git.php.net/?p=web/php.git;a=commitdiff;h=540872824575ecfcdf42511a7784ccbd1d3f4e13 >> >>> > >> >>> > Log: >> >>> > Fix potential Access-Control-Allow-Origin bug in vote-note.php - Bug >> >>> > #65887 >> >>> > >> >>> >> >>> Hmmmh... I already added this to prepend.inc, which this page is >> >>> including.. Is that fix not working? >> >>> I think its better to fix it there then specifically for this page >> only. >> >>> >> >>> -Hannes >> >> >> >> >> >> >> >> Apparently I did not see that. Your fix seems to be relying >> >> $_SERVER["HTTP_ORIGIN"], but when the request comes from >> http://php.net the >> >> Access-Control-Allow-Origin response header is always 'http://', >> which the >> >> UA does not accept. >> > >> > >> > Well.. That fix fixed the problem of loading javascript resources >> > (such as autocopmlete) from http://www.php.net when accessing >> > http://php.net >> > >> > So I'm uncertain what exactly you mean by "response header is always >> > 'http://'" ? >> >> >> >> Duuuuude... You are totally right :) >> It was broken, completely, except on dev setups where you don't use port >> 80 ;) >> >> It is fixed now.. Can this commit be reverted now? >> >> -Hannes >> > > > Cool, yes I will revert this in a moment. > Hmmm, actually I'm still not sure it works properly. If I go to http://php.net/strstr and try to vote on any note Chrome gives me the following error: XMLHttpRequest cannot load http://www.php.net/manual/vote-note.php?id=113633&page=function.strstr&vote=up. The 'Access-Control-Allow-Origin' whitelists only 'http://php.net, http://www.php.net,https://www.php.net,http://72.52.91.14:8000'. Origin ' http://php.net' is not in the list, and is therefore not allowed access. I'm confused. I thought Access-Control-Allow-Origin was a comma separated list. Is http://php.net not in that list? Am I losing my mind? Or is Chrome just hating php.net?
