Add CORS header to response

[klues]

since the purpose of this script is to bypass CORS check, the response should contain CORS headers.

I've tried the script on my php server and requests from javascript didn't succeed because of missing CORS headers. After adding

header("Access-Control-Allow-Origin: *");

to the php file, everything works fine.

[avbentem]

One may need a bit more:

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Headers: *');
header('Access-Control-Allow-Methods: *');
header('Access-Control-Allow-Credentials: true');

Even more:

When responding to a credentialed request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the "*" wildcard.

(This also applies to including cookies.)

So, maybe:

header('Access-Control-Allow-Origin: ' . ($_SERVER['HTTP_ORIGIN'] ?? '*'));

Also, one may not want to delegate OPTIONS to the remote server, as that remote server may need authorization while the browser will not include any credentials for the OPTIONS request:

if ('OPTIONS' == $request_method) {
    http_response_code(200);
    exit;
}

since the purpose of this script is to bypass CORS check

Aside: the CORS headers are not needed when hosting this very proxy on the same domain as the web pages that make the requests. But given the configuration for $valid_requests hosting on the same domain is indeed not a requirement. (And I myself also needed to add those headers.)