Home >Backend Development >PHP Tutorial >Why am I still getting an \'Access-Control-Allow-Origin\' error when I\'ve set the CORS headers in PHP?

Why am I still getting an \'Access-Control-Allow-Origin\' error when I\'ve set the CORS headers in PHP?

Linda Hamilton
Linda HamiltonOriginal
2024-11-03 02:22:03698browse

Why am I still getting an

CORS Not Working in PHP

Cross-Origin Resource Sharing (CORS) allows you to make requests from one domain to a different domain. When a request is made from a different domain, the browser checks the server's response for specific headers that indicate whether the request is allowed.

Problem:
A developer is attempting to send a POST request from www.siteone.com to www.sitetwo.com using CORS. However, they encounter an "Access-control-Allow-Origin error" despite setting the necessary CORS headers on the server.

Request/Response Headers:

Response Headers
Connection  Keep-Alive
Content-Length  487
Content-Type    text/html; charset=iso-8859-1
Date    Fri, 23 Aug 2013 05:53:20 GMT
Keep-Alive  timeout=15, max=99
Server  Apache/2.2.15 (CentOS)
WWW-Authenticate    Basic realm="Site two Server - Restricted Area"
Request Headers
Accept  */*
Accept-Encoding gzip, deflate
Accept-Language en-US,en;q=0.5
Content-Length  43
Content-Type    application/x-www-form-urlencoded; charset=UTF-8
Host    www.sitetwo.com
Origin  http://www.siteone.com
Referer http://www.siteone.com/index.html
User-Agent  Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0

Solution:
The issue lies in the way the CORS headers are set on the server. The original code used a simplified approach that included only the following headers:

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, GET, OPTIONS');

However, according to the CORS specification, handling requests properly requires a more comprehensive approach. The developer updated the code to the following:

if (isset($_SERVER['HTTP_ORIGIN'])) {
    header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
    header('Access-Control-Allow-Credentials: true');
    header('Access-Control-Max-Age: 86400');    // cache for 1 day
}

if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
    if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
        header("Access-Control-Allow-Methods: GET, POST, OPTIONS");         

    if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
        header("Access-Control-Allow-Headers:        {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");

    exit(0);
}

// Your actual code goes here
echo "You have CORS!";

This updated code not only sets the basic CORS headers, but also handles preflight OPTIONS requests, which are used by browsers to determine whether the actual request is allowed. By implementing this more thorough approach, the developer successfully enabled CORS for their application.

The above is the detailed content of Why am I still getting an 'Access-Control-Allow-Origin' error when I've set the CORS headers in PHP?. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn