[PHP] AJAX CORS verification

1. <?php
2. /**
3.  * Cors domain verify and detect AJAX.
4.  *
5.  * @todo only allow CORS request
6.  */
7. function cors($print_server = false)
8. {
9.   //header('Content-type: application/json; charset=utf-8');
10.   header('Access-Control-Allow-Origin: *'); //allow all AJAX REQUEST
11.  
12.   if (isset($_SERVER['HTTP_X_REQUESTED_WITH'])) {
13.     if ('xmlhttprequest' != strtolower($_SERVER['HTTP_X_REQUESTED_WITH'])) {
14.       return __LINE__ . false;
15.     } else {
16.       if (isset($_SERVER['HTTP_SEC_FETCH_SITE']) && isset($_SERVER['HTTP_SEC_FETCH_MODE']) && isset($_SERVER['HTTP_REFERER']) && isset($_SERVER['HTTP_ORIGIN']) && isset($_SERVER['HTTP_USER_AGENT'])) {
17.         $parseRef = parse_url($_SERVER['HTTP_REFERER']);
18.         $parseOri = parse_url($_SERVER['HTTP_ORIGIN']);
19.         if (!isset($parseOri['host']) || !isset($parseRef['host'])) {
20.           return __LINE__ . false;
21.         }
22.         if ($parseOri['host'] != $parseRef['host']) {
23.           return __LINE__ . false;
24.         }
25.         if ('same-origin' == $_SERVER['HTTP_SEC_FETCH_SITE'] && 'cors' == $_SERVER['HTTP_SEC_FETCH_MODE']) {
26.           return $parseOri['host'] == $parseRef['host'];
27.         } else {
28.           if ($print_server) {
29.             $_SERVER['PHP_LINE'] = __LINE__;
30.  
31.             return $_SERVER;
32.           } else {
33.             return false;
34.           }
35.         }
36.       }
37.     }
38.   }
39.   if (isset($_SERVER['HTTP_ORIGIN'])) {
40.     header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);
41.     header('Access-Control-Expose-Headers: date,content-type,transfer-encoding,connection,access-control-allow-origin,server,x-xss-protection,x-content-type-options,x-request-id,content-encoding,x-final-url');
42.     header('Access-Control-Allow-Credentials: true');
43.     header('Access-Control-Max-Age: 86400');    // cache for 1 day
44.     if (isset($_SERVER['HTTP_REFERER'])) {
45.       $parseRef = parse_url($_SERVER['HTTP_REFERER']);
46.       $parseOri = parse_url($_SERVER['HTTP_ORIGIN']);
47.       if (!isset($parseOri['host']) || !isset($parseRef['host'])) {
48.         return __LINE__ . false;
49.       }
50.       if ($parseOri['host'] != $parseRef['host']) {
51.         return __LINE__ . false;
52.       }
53.     } else {
54.       return __LINE__ . false;
55.     }
56.   }
57.   if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'])) {
58.     // may also be using PUT, PATCH, HEAD etc
59.     header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
60.   }
61.  
62.   if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) {
63.     header("Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");
64.   } else {
65.     header('Access-Control-Allow-Headers: X-Requested-With');
66.   }
67.  
68.   $final = isset($_SERVER['HTTP_ACCEPT']) && isset($_SERVER['HTTP_ORIGIN']) && isset($_SERVER['HTTP_REFERER']) && isset($_SERVER['HTTP_ACCEPT_ENCODING']) && isset($_SERVER['CONTENT_TYPE']) && isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) && isset($_SERVER['HTTP_USER_AGENT']) && isset($_SERVER['UNIQUE_ID']);
69.   if (!$final && $print_server) {
70.     $_SERVER['PHP_LINE'] = __LINE__;
71.  
72.     return $_SERVER;
73.   }
74.   if ($final) {
75.     return true;
76.   }
77.  
78.   return false;
79. }