1

I have a login button in the subdomain which is calling an AJAX request on main domain. In order to make CORS working I have to have the right domain which made the request in order to validate it on the main domain.

I can't use an exact subdomain because I have more than 3k subdomains which are all valid to make the request, and I also can't dynamically add them all to each request as it would burden it unnecessarily.

What I want is a method to pull out the referer somehow from the request, but the $_SERVER['HTTP_REFERER'] doesn't function always.

Is there some method which can fetch referer without exceptions each time so that I am sure that referer is set?

If not, is there a way to enforce attaching referer header to requests?

Norgul
  • 4,613
  • 13
  • 61
  • 144
  • 2
    no, http is a stateless protocol –  Dec 12 '17 at 08:29
  • It's up to the user to send the correct referrer. If they don't then they may have deep-linked to the page and CORS is supposed to prevent them from doing that. Are there any regular use cases where the referrer is not set? – apokryfos Dec 12 '17 at 08:42
  • 2
    The HTTP Referer is not reliable, period. It's not meant to be. You need to find a different solution for your problem. If you want us to help with that, you need to describe the problem you're trying to solve in more detail. – deceze Dec 12 '17 at 08:45
  • What is there to explain in more detail? I have a subdomain making a request to main domain. Subdomain needs to be checked in the middleware, thus I need to see referer so I can parse it and cross-check with whitelisted subdomains – Norgul Dec 12 '17 at 08:46
  • 1
    For instance, if you say you have 3k subdomains, I expect those to be "vanity" subdomains (e.g. `username.example.com`), which are all ultimately served through the same main web server. In that case the appropriate solution may be to not make a request to `example.com`, but to `username.example.com`, obsoleting any CORS concerns… – deceze Dec 12 '17 at 08:56
  • 2
    If all your domains are subdomains of a main domain then you can allow origins from the same domain and set the `document.domain` on the client side (https://developer.mozilla.org/en-US/docs/Web/API/Document/domain) if they are not you can try an htaccess solution (see https://stackoverflow.com/questions/14003332/access-control-allow-origin-wildcard-subdomains-ports-and-protocols) at any rate if you use the referer you need to rely on the users to send it. – apokryfos Dec 12 '17 at 08:59
  • It crossed my mind, the problem with that approach I have is that I feel as that is just a quickfix for what should really be a request to main domain. Subdomains are like the ones you specified, but are different regions (instead of users), and I feel that if you log in from each region, you must call a login method on main domain – Norgul Dec 12 '17 at 09:00

2 Answers2

2

You can use the following to your taste

//Get the current URL without the query string.
url()->current();

//Get the current URL including the query string.
url()->full();

//Get the full URL for the previous request or the http refer er.
url()->previous();

Each of these methods may also be accessed via the URL facade:

use Illuminate\Support\Facades\URL;
URL::current();
URL::full();
URL::previous();

Laravel Doc

Wilson
  • 1,259
  • 11
  • 17
0

Yes, there is a simple way to enforce attaching referer headers to the request. It requires just a small change to the frontend code, and is really easy:

Just send the referer explicitly by adding it as an URL parameter.

http://www.yourdomain.com/login?referer=sub.yourdomain.com

Query parameters are already sent on the preflight request and can be evaluated by the backend to set the correct CORS header.

Alexander
  • 19,906
  • 19
  • 75
  • 162