1

I only want to allow requests from my website to visit the following php page. However all pages are being allowed on XAMPP.

This is my code:

I'm using a .js file to call the php file:

// page1.js

var json_url = "page2.php";

$.getJSON(json_url, function(response) {
    alert("Entered");
 });

And on page2.php :

<?php

header("Access-Control-Allow-Origin: https://www.mywebsite.com");
header("Access-Control-Allow-Credentials: true");
header("Content-Type: application/json");

// ...

?>
sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
the_it_crowd
  • 59
  • 1
  • 1
  • 7
  • Please consider using https://stackoverflow.com/posts/46305617/edit to edit/update your question to indicate more explicitly what problem you are trying to solve — in a form like, *I want to do XXXX but it’s not working because YYYY.* What exactly do you mean by *“all pages are being allowed on XAMPP.”*? What exactly does *“allowed on XAMPP”* mean? – sideshowbarker Sep 20 '17 at 03:45
  • If I understand what you’re trying to say, you might want to read the answers at https://stackoverflow.com/questions/40835863/in-the-respective-of-security-is-it-meaningful-to-allow-cors-for-specific-domai/40836602#40836602 and https://stackoverflow.com/questions/46298760/how-does-enablecors-restrict-the-origin-access/46301772#46301772 for an explanation of what CORS does and does not actually do – sideshowbarker Sep 20 '17 at 03:47

1 Answers1

0

The correct way of using it would be:

Access-Control-Allow-Origin: www.mywebsite.com

Yes, you must specify a domain (wildcards are allowed), not a URL.

Now, what do you mean by "allow requests from my website to visit the following php page"? If you're not the owner of www.remoteserver.com, you won't be able to perform ajax calls from your website (mywebsite.com) to www.remoteserver.com unless Access-Control-Allow-Origin: www.yourwebsite.com header is present in their HTTP response (which i doubt if you're not the owner).

Eduardo Escobar
  • 3,301
  • 2
  • 18
  • 15
  • Have updated the question for clarity. I want page2.php to respond to requests only from within www.mywebsite.com (which is my domain). However it currently executes even though the requests are from outside my domain. – the_it_crowd Sep 19 '17 at 16:48
  • 1
    You don't even need to send `Access-Control-Allow-Origin` header for that. If it's not present in your HTTP response, no other domain but yours itself will be able to make ajax calls to page2.php. – Eduardo Escobar Sep 19 '17 at 16:54
  • But right now anyone can search for "mywebsite.com/page2.php" and access it. How do I restrict that as well, so that only my own domain pages can access it? – the_it_crowd Sep 19 '17 at 17:08
  • 1
    I suppose you're not talking about ajax calls, so `Access-Control-Allow-Origin` won't work for you this time. – Eduardo Escobar Sep 19 '17 at 17:56