$origin = isset($_SERVER['HTTP_ORIGIN']) ? $_SERVER['HTTP_ORIGIN'] : null; header("Access-Control-Allow-Origin: $allowed_domain"); header("Access-Control-Allow-Methods: GET, POST, OPTIONS"); header("Access-Control-Allow-Credentials: true"); header("Access-Control-Allow-Headers: Content-Type, Accept, Authorization"); header("X-Frame-Options: ALLOW-FROM $origin"); header("Content-Security-Policy: frame-ancestors 'self' $allowed_domain"); this code origin cors whitelist domain, but get $origin all null?