I have had a lot of success securely allowing CORS but I have tried with another page and it's not working. I hope someone can tell me what I'm missing. I know that * is insecure, but I'm trying that just to eliminate the site name as a variable.
.htaccess file
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
and the top of my php file:
// Allow from any origin just for testing...
if (isset($_SERVER['HTTP_ORIGIN'])) {
// in production, no *, but using my real domain
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age: 86400');
}
// Access-Control headers are received during OPTIONS requests
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS");
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
header("Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");
}
When accessing the php file with an ajax request, I receive: Access to XMLHttpRequest at 'https://sitename.000webhostapp.com/' from origin 'https://samesitename.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
It works in Postman. Here is header info:
Date →Mon, 29 Apr 2019 18:50:03 GMT
Content-Type →text/html; charset=UTF-8
Transfer-Encoding →chunked
Connection →keep-alive
Access-Control-Allow-Origin →*
Access-Control-Allow-Headers →origin, x-requested-with, content-type
Access-Control-Allow-Methods →PUT, GET, POST, DELETE, OPTIONS
Server →awex
X-Xss-Protection →1; mode=block
X-Content-Type-Options →nosniff
X-Request-ID →18341eb6e5c7e5f483d8dd3a3a492b9c
Content-Encoding →gzip
The bigger story is that I'm hosting the main site on firebase which doesn't support PHP, so I put the php files on 000webhostapp.com as a workaround.
