$origin = isset($_SERVER['HTTP_ORIGIN']) ? $_SERVER['HTTP_ORIGIN'] : null;
header("Access-Control-Allow-Origin: $allowed_domain");
header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
header("Access-Control-Allow-Credentials: true");
header("Access-Control-Allow-Headers: Content-Type, Accept, Authorization");
header("X-Frame-Options: ALLOW-FROM $origin");
header("Content-Security-Policy: frame-ancestors 'self' $allowed_domain");
this code origin cors whitelist domain, but get $origin all null?