From 6b8e981bdc4e647c9c39638c259d4ff7b1945e2d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Paul=20S=C3=BCtterlin?= <paul@paulsuetterlin.de>
Date: Sat, 26 Jul 2025 01:06:24 +0000
Subject: [PATCH] fix: Only use HTTP_ORIGIN if it is sent.

---
 data/web/inc/functions.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index edf428d5a..55329e73a 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2211,7 +2211,7 @@ function cors($action, $data = null) {
       $cors_settings['allowed_origins'] = $allowed_origins[0];
       if (in_array('*', $allowed_origins)){
         $cors_settings['allowed_origins'] = '*';
-      } else if (in_array($_SERVER['HTTP_ORIGIN'], $allowed_origins)) {
+      } else if (array_key_exists('HTTP_ORIGIN', $_SERVER) && in_array($_SERVER['HTTP_ORIGIN'], $allowed_origins)) {
         $cors_settings['allowed_origins'] = $_SERVER['HTTP_ORIGIN'];
       }
       // always allow OPTIONS for preflight request