Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Okay, but you all know that the * is a wildcard and allows cross site scripting from every domain?</p> <p>You would like to send multiple <code>Access-Control-Allow-Origin</code> headers for every site that's allowed to - but unfortunately its officially not supported to send multiple <code>Access-Control-Allow-Origin</code> headers, or to put in multiple origins.</p> <p>You can solve this by checking the origin, and sending back that one in the header, if it is allowed:</p> <pre class="lang-php prettyprint-override"><code>$origin = $_SERVER['HTTP_ORIGIN']; $allowed_domains = [ 'http://mysite1.com', 'https://www.mysite2.com', 'http://www.mysite2.com', ]; if (in_array($origin, $allowed_domains)) { header('Access-Control-Allow-Origin: ' . $origin); } </code></pre> <p>Thats much safer. You might want to edit the matching and change it to a manual function with some regex, or something like that. At least this will only send back 1 header, and you will be sure its the one that the request came from. Please do note that all HTTP headers <em>can</em> be spoofed, but this header is for the client's protection. Don't protect your own data with those values. If you want to know more, read up a bit on CORS and CSRF.</p> <p><strong>Why is it safer?</strong></p> <p>Allowing access from other locations then your own trusted site allows for session highjacking. I'm going to go with a little example - image Facebook allows a wildcard origin - this means that you can make your own website somewhere, and make it fire AJAX calls (or open iframes) to facebook. This means you can grab the logged in info of the facebook of a visitor of your website. Even worse - you can script <code>POST</code> requests and post data on someone's facebook - just while they are browsing your website.</p> <p>Be very cautious when using the <code>ACAO</code> headers!</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload