How to grant "Access-Control-Allow-Origin" to one specific site, using php

Question

I have a question about CORS through php:

I found this php script, right here on stackoverflow:

 <?php
// Allow from any origin
if (isset($_SERVER['HTTP_ORIGIN'])) {
    header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
    header('Access-Control-Allow-Credentials: true');
    header('Access-Control-Max-Age: 86400');    // cache for 1 day
}

// Access-Control headers are received during OPTIONS requests
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {

    if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
        header("Access-Control-Allow-Methods: GET, POST, OPTIONS");         

    if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
        header("Access-Control-Allow-Headers:        {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");

    exit(0);
}

echo "You have CORS!";?>

-And it totally works, so that's great!

But I would like it, so only one specific site get permission to access the server - how would I go about that?

// rephrased:
what I mean, is that I want to be able to make "b_site.com" access the server, and fonts, of "a_site.com". The script I posted above does enable that, but it enables it for every excisting site ever. I want it to be enabled exclusively to "b_site.com".

I'm all new to php, and have spent hours trying to figure this out - I would really appreciate some help.

Thanks in advance!

//updated the title to "(...)site" instead of "(...)url" for clarity.

I may have phrased it wrong - what I mean, is that I want to be able to make "b_site.com" access the server, and fonts, of "a_site.com". The script I posted above does enable that, but it enables it for every excisting site ever. I want it to be enabled exclusively to "b_site.com". — mcm, Sep 20 '15 at 18:57

score 1 · Answer 1 · answered Sep 20 '15 at 19:26

1

Have you tried

Access-Control-Allow-Origin: http://b_site.com



if (isset($_SERVER['HTTP_ORIGIN']) && $_SERVER['HTTP_ORIGIN'] == 'http://www.b_site.com') {
    header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
    header('Access-Control-Allow-Credentials: true');
    header('Access-Control-Max-Age: 86400');    // cache for 1 day

}

answered Sep 20 '15 at 19:26

jasonlam604

1,456
2
16
25

Thanks for the reply! I just tried it, unfortunately it doesn't seem to work. – mcm Sep 20 '15 at 20:22

num8er · Answer 2 · 2015-09-21T20:38:57.203

0

Try this:

$http_origin = $_SERVER['HTTP_HOST'];

if ($http_origin == "www.b_site.com" OR $http_origin == "b_site.com")
{  
    header("Access-Control-Allow-Origin: $http_origin");
}

edited Sep 21 '15 at 20:38

answered Sep 20 '15 at 19:25

num8er

18,604
3
43
57

Thanks for the reply! Unfortunately I can't seem to get it to work. I switched "if (isset($_SERVER['HTTP_ORIGIN'])) { header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}"); header('Access-Control-Allow-Credentials: true'); header('Access-Control-Max-Age: 86400'); // cache for 1 day }" with the code you suggested. Is that what I was supposed to do? – mcm Sep 20 '15 at 20:34
try to replace $_SERVER['HTTP_ORIGIN']; to $_SERVER['HTTP_HOST']; – num8er Sep 20 '15 at 21:09
Still no luck - but I really appreciate you trying to help me out! – mcm Sep 22 '15 at 19:21

How to grant "Access-Control-Allow-Origin" to one specific site, using php

2 Answers2