Home >Backend Development >PHP Tutorial >Why am I still getting an \'Access-Control-Allow-Origin\' error when I\'ve set the CORS headers in PHP?
CORS Not Working in PHP
Cross-Origin Resource Sharing (CORS) allows you to make requests from one domain to a different domain. When a request is made from a different domain, the browser checks the server's response for specific headers that indicate whether the request is allowed.
Problem:
A developer is attempting to send a POST request from www.siteone.com to www.sitetwo.com using CORS. However, they encounter an "Access-control-Allow-Origin error" despite setting the necessary CORS headers on the server.
Request/Response Headers:
Response Headers Connection Keep-Alive Content-Length 487 Content-Type text/html; charset=iso-8859-1 Date Fri, 23 Aug 2013 05:53:20 GMT Keep-Alive timeout=15, max=99 Server Apache/2.2.15 (CentOS) WWW-Authenticate Basic realm="Site two Server - Restricted Area" Request Headers Accept */* Accept-Encoding gzip, deflate Accept-Language en-US,en;q=0.5 Content-Length 43 Content-Type application/x-www-form-urlencoded; charset=UTF-8 Host www.sitetwo.com Origin http://www.siteone.com Referer http://www.siteone.com/index.html User-Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0
Solution:
The issue lies in the way the CORS headers are set on the server. The original code used a simplified approach that included only the following headers:
header('Access-Control-Allow-Origin: *'); header('Access-Control-Allow-Methods: POST, GET, OPTIONS');
However, according to the CORS specification, handling requests properly requires a more comprehensive approach. The developer updated the code to the following:
if (isset($_SERVER['HTTP_ORIGIN'])) { header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}"); header('Access-Control-Allow-Credentials: true'); header('Access-Control-Max-Age: 86400'); // cache for 1 day } if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') { if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'])) header("Access-Control-Allow-Methods: GET, POST, OPTIONS"); if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) header("Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}"); exit(0); } // Your actual code goes here echo "You have CORS!";
This updated code not only sets the basic CORS headers, but also handles preflight OPTIONS requests, which are used by browsers to determine whether the actual request is allowed. By implementing this more thorough approach, the developer successfully enabled CORS for their application.
The above is the detailed content of Why am I still getting an 'Access-Control-Allow-Origin' error when I've set the CORS headers in PHP?. For more information, please follow other related articles on the PHP Chinese website!