concept request header in category javascript

This is an excerpt from Manning's book CORS in Action: Creating and consuming cross-origin APIs. Login to get full access to this book.

Setting request headers

If a method is a simple method, it doesn’t need to be listed in the Access-Control-Allow-Methods header. (Recall from section 4.2 that the CORS spec defines simple methods as GET, POST, and HEAD.) If the client sends an Access-Control-Request-Method: GET request header, the server doesn’t need to include the Access-Control-Allow-Methods header in the response. But this can be confusing. For consistency, the rest of the samples in this chapter will always include the Access-Control-Allow-Methods header, even for simple HTTP methods.

Listing 6.9. Adding all requested headers on preflight

Listing 6.10. Only allowing request headers prefixed with X-

allowHeaders: function(req) { var reqHeaders = req.headers['access-control-request-headers']; if (!reqHeaders) { return null; } reqHeaders = reqHeaders.split(','); resHeaders = []; for (var i = 0; i < reqHeaders.length; i++) { var header = reqHeaders[i].trim(); if (header.toLowerCase().indexOf('x-') === 0) { resHeaders.push(header); } } return resHeaders.join(','); }

copy

This is an excerpt from Manning's book Prototype and Scriptaculous in Action. Login to get full access to this book.

In PHP, we read the request headers using the apache_request_headers() array. If you’re not running PHP on an Apache server, your mileage may vary here—consult your web server manual in case of problems, and have a look at appendix E for some useful hints. The raw POST data can be read from the $HTTP_RAW_POST_DATA variable. Because the POST body is not a URL-encoded querystring, as a request from an HTML form would be, the $_REQUEST and $_POST variables won’t be populated.

First, we get a reference to the request headers as an array, using apache_request_headers(). Then we can simply read the value that we want out of that array.