There is an ajax request:
$.ajax({ url: 'https://<?php echo getDomain($_SERVER['SERVER_NAME']); ?>/engine/search.php', headers: {'X-Requested-With': 'XMLHttpRequest'}, xhrFields: { withCredentials: true }, crossDomain: true, method: 'POST', dataType: 'json', data: { data:data } }); And on the server side there is a script that checks if the request was sent via ajax:
<?php $search_data = session_name("search_data"); session_set_cookie_params(0, '/', '.skytickets.ga'); session_start(); require('functions.php'); header("Access-Control-Allow-Origin: https://search." . $_SERVER['SERVER_NAME']); header("Access-Control-Allow-Credentials: true"); header("Access-Control-Allow-Methods: POST, GET, OPTIONS"); header("Access-Control-Allow-Headers: X-Requested-With, Origin"); header("Content-Type: application/json; charset=utf-8"); if(isAjax()) { $data = $_POST['data']; if(isset($data) && !empty($data)) { if(!preg_match('/[AZ][AZ][AZ]/', $data['from']) && !preg_match('/[AZ][AZ][AZ]/', $data['to'])) { header('HTTP/1.0 500 Internal Server Error'); die('Bad IATA codes provided'); } if(!validateDate($data['there']) && !validateDate($data['thence'])) { header('HTTP/1.0 500 Internal Server Error'); die('Bad date format provided'); } if(!preg_match('/^[1-9]*$/', $data['adults']) && !preg_match('/^[0-9]*$/', $data['teens']) && !preg_match('/^[0-9]*$/', $data['kids'])) { header('HTTP/1.0 500 Internal Server Error'); die('Bad passengers data provided'); } $_SESSION['search_data'] = json_encode($data, JSON_UNESCAPED_UNICODE); echo $_SESSION['search_data']; die(); } } else { header('HTTP/1.0 403 Forbidden'); die('Access denied'); } ?> IsAjax function:
function isAjax() { return !empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest'; } I re-checked the code 1000 times, re-read the CORS policy 1000 times and still can’t understand why this is not working. I get errors OPTIONS 403 (Forbidden) and XMLHttpRequest cannot load. Response for preflight has invalid HTTP status code 403 .
