[prev in list] [next in list] [prev in thread] [next in thread]
List: php-internals
Subject: Re: [PHP-DEV] Re: Access-Control-Allow-Origin header in CLI server
From: Yasuo Ohgaki <yohgaki () ohgaki ! net>
Date: 2013-07-19 0:03:50
Message-ID: CAGa2bXYcEPpeYxh=c-5XoKbM2+u=pmS7hb2vkWueC5z5BJXPbg () mail ! gmail ! com
[Download RAW message or body]
Hi Matthew,
2013/7/7 Matthew Leverton <leverton@gmail.com>
> On Sat, Jul 6, 2013 at 7:59 AM, Mario Brandt <jblond@gmail.com> wrote:
> > You can use the router script to add that header of your desire into
> > every request.
> >
> That's what I currently do. And I agree that if somebody wants to
> deviate from the reasonable set of defaults that PHP provides, then he
> must set them in a router script. I don't think the CLI server should
> be a configurable web server.
>
> But IMO, this is no different from PHP maintaining and delivering a
> small set of Content-type headers. Of course you could take the same
> hardline approach and tell the developer to set all of the content
> headers himself because you're worried that somebody might use PNG as
> a data file that holds ping pong scores. But neither the existence of
> this nor the content-type have any reasonable side effects.
>
> I'm just throwing this out here; I've got nothing more to say and am
> fine with the powers-to-be doing whatever they feel appropriate.
It would be nice if PHP encourages secure web application development.
Not only having
Access-Control-Allow-Origin
but also
'X-Frame-Options' => 'SAMEORIGIN',
'X-XSS-Protection' => '1; mode=block',
'X-Content-Type-Options' => 'nosniff'
headers are best practice for better security.
It may not be suitable as PHP core setting. However, it would
be great for many users to have these as new core module setting.
PHP would be better if PHP promotes secure app development.
Number of recommended HTTP headers may increase.
Perhaps, we should have php.ini entry that specify any HTTP headers
and set defaults in php.ini-*
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic