bluesn4rfer
commented
2 years ago Hi,
Looking in Google Chrome developer tools, there does not appear to be an Origin header sent.
This is an old answer from stack overflow https://stackoverflow.com/questions/15512331/chrome-adding-origin-header-to-same-origin-request
I'm still researching this some, but it looks like same-origin requests might not be required to send Origin header & might be why HTTP_ORIGIN is not populated. If HTTP_ORIGIN is always populated when cross-origin requests occur than the original commit of returning false & skipping the Allow-Origin header in the response maybe fine?
mychidarko
Description
Added an if statement to the top of function isOriginAllowed to check if the HTTP_ORIGIN index was set in $_SERVER and return false if it is not found
This change prevents a notice exception from being thrown when $_SERVER['HTTP_ORIGIN'] does not exist and allows a user to view the resource
This is not a breaking change because if $_SERVER['HTTP_ORIGIN'] is set, it would continue the rest of the flow inside function isOriginAllowed
Related Issue
#1 ErrorException thrown with message "Undefined index: HTTP_ORIGIN" After creating a default leaf mvc project, then attempting to view the project the user receives a notice exception.