如果有人从some-client.com发送XHR请求到some-rest.com,我想用
PHP获取请求的来源(域名,而不是客户端IP).
可能的解决方案:
>也许我可以使用$_SERVER [‘HTTP_ORIGIN’],但我不知道它是否是标准.
>我看到另一个标题,如$_SERVER [‘HTTP_HOST’]或$_SERVER [‘SERVER_NAME’],但有些情况下这会返回真实主机名而不是真实域.
>并且$_SERVER [‘REMOTE_ADDR’]给出了客户端IP.
谢谢!
根据MDN的第
HTTP access control (CORS)条:
必须将所有请求设置为Origin头,以便在CORS(跨源资源共享)机制下正常工作.
“Origin”请求标头是RFC 6454的一部分,并将其描述为CORS机制的一部分,并且根据MDN与所有浏览器兼容.
MDN的描述:
The
Originrequest header indicates where a fetch originates from. It
doesn’t include any path information,but only the server name. It is
sent with CORS requests,as well as with POST requests. It is similar
to the Referer header,but,unlike this header,it doesn’t disclose
the whole path.Source: 07002
$_SERVER['HTTP_ORIGIN']
并且,在直接请求的情况下,您可以组合HTTP_REFERER和REMOTE_ADDR,如:
if (array_key_exists('HTTP_REFERER',$_SERVER)) {
$origin = $_SERVER['HTTP_REFERER'];
} else {
$origin = $_SERVER['REMOTE_ADDR'];
}
因此,可能的最终解决方案是:
if (array_key_exists('HTTP_ORIGIN',$_SERVER)) {
$origin = $_SERVER['HTTP_ORIGIN'];
}
else if (array_key_exists('HTTP_REFERER',$_SERVER)) {
$origin = $_SERVER['HTTP_REFERER'];
} else {
$origin = $_SERVER['REMOTE_ADDR'];
}
MDN是Mozilla Developer Network.
非常感谢@trine,@ waseem-bashir,@ p0lt10n和其他人的帮助.
