Ahh, that's possible. I'll revert my changes and see if that fixes the problem.
On Wed, Dec 11, 2013 at 12:39 AM, Hannes Magnusson < [email protected]> wrote: > On Tue, Dec 10, 2013 at 9:35 PM, Sherif Ramadan <[email protected]> > wrote: > > > > > > > > On Wed, Dec 11, 2013 at 12:26 AM, Sherif Ramadan < > [email protected]> > > wrote: > >> > >> > >> > >> > >> On Tue, Dec 10, 2013 at 8:33 PM, Hannes Magnusson > >> <[email protected]> wrote: > >>> > >>> On Tue, Dec 10, 2013 at 2:48 PM, Hannes Magnusson > >>> <[email protected]> wrote: > >>> > On Tue, Dec 10, 2013 at 2:41 PM, Sherif Ramadan > >>> > <[email protected]> wrote: > >>> >> > >>> >> > >>> >> > >>> >> On Tue, Dec 10, 2013 at 5:30 PM, Hannes Magnusson > >>> >> <[email protected]> wrote: > >>> >>> > >>> >>> On Tue, Dec 10, 2013 at 1:55 PM, Sherif Ramadan <[email protected] > > > >>> >>> wrote: > >>> >>> > Commit: 540872824575ecfcdf42511a7784ccbd1d3f4e13 > >>> >>> > Author: Sherif Ramadan <[email protected]> Tue, 10 > Dec > >>> >>> > 2013 > >>> >>> > 16:55:48 -0500 > >>> >>> > Parents: 92aa114f859b695b82743feba122a3b27a6925a7 > >>> >>> > Branches: master > >>> >>> > > >>> >>> > Link: > >>> >>> > > >>> >>> > > http://git.php.net/?p=web/php.git;a=commitdiff;h=540872824575ecfcdf42511a7784ccbd1d3f4e13 > >>> >>> > > >>> >>> > Log: > >>> >>> > Fix potential Access-Control-Allow-Origin bug in vote-note.php - > >>> >>> > Bug > >>> >>> > #65887 > >>> >>> > > >>> >>> > >>> >>> Hmmmh... I already added this to prepend.inc, which this page is > >>> >>> including.. Is that fix not working? > >>> >>> I think its better to fix it there then specifically for this page > >>> >>> only. > >>> >>> > >>> >>> -Hannes > >>> >> > >>> >> > >>> >> > >>> >> Apparently I did not see that. Your fix seems to be relying > >>> >> $_SERVER["HTTP_ORIGIN"], but when the request comes from > >>> >> http://php.net the > >>> >> Access-Control-Allow-Origin response header is always 'http://', > which > >>> >> the > >>> >> UA does not accept. > >>> > > >>> > > >>> > Well.. That fix fixed the problem of loading javascript resources > >>> > (such as autocopmlete) from http://www.php.net when accessing > >>> > http://php.net > >>> > > >>> > So I'm uncertain what exactly you mean by "response header is always > >>> > 'http://'" ? > >>> > >>> > >>> > >>> Duuuuude... You are totally right :) > >>> It was broken, completely, except on dev setups where you don't use > port > >>> 80 ;) > >>> > >>> It is fixed now.. Can this commit be reverted now? > >>> > >>> -Hannes > >> > >> > >> > >> Cool, yes I will revert this in a moment. > > > > > > > > > > Hmmm, actually I'm still not sure it works properly. If I go to > > http://php.net/strstr and try to vote on any note Chrome gives me the > > following error: > > > > XMLHttpRequest cannot load > > > http://www.php.net/manual/vote-note.php?id=113633&page=function.strstr&vote=up > . > > The 'Access-Control-Allow-Origin' whitelists only > > 'http://php.net,http://www.php.net,https://www.php.net, > http://72.52.91.14:8000'. > > Origin 'http://php.net' is not in the list, and is therefore not allowed > > access. > > > > I'm confused. I thought Access-Control-Allow-Origin was a comma separated > > list. Is http://php.net not in that list? Am I losing my mind? Or is > Chrome > > just hating php.net? > > > Not all browsers support comma separated list, which is why the > implementation in include/prepend.inc used whatever it received (as > long as it was php.net). > > -Hannes >
