php-cross-domain-proxy
php-cross-domain-proxy copied to clipboard
Add CORS header to response
since the purpose of this script is to bypass CORS check, the response should contain CORS headers.
I've tried the script on my php server and requests from javascript didn't succeed because of missing CORS headers. After adding
header("Access-Control-Allow-Origin: *");
to the php file, everything works fine.
One may need a bit more:
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Headers: *');
header('Access-Control-Allow-Methods: *');
header('Access-Control-Allow-Credentials: true');
When responding to a credentialed request, the server must specify an origin in the value of the
Access-Control-Allow-Origin
header, instead of specifying the "*
" wildcard.
(This also applies to including cookies.)
So, maybe:
header('Access-Control-Allow-Origin: ' . ($_SERVER['HTTP_ORIGIN'] ?? '*'));
Also, one may not want to delegate OPTIONS
to the remote server, as that remote server may need authorization while the browser will not include any credentials for the OPTIONS
request:
if ('OPTIONS' == $request_method) {
http_response_code(200);
exit;
}
since the purpose of this script is to bypass CORS check
Aside: the CORS headers are not needed when hosting this very proxy on the same domain as the web pages that make the requests. But given the configuration for $valid_requests
hosting on the same domain is indeed not a requirement. (And I myself also needed to add those headers.)