Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:68179 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 13128 invoked from network); 19 Jul 2013 00:04:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Jul 2013 00:04:34 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.44 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.128.44 mail-qe0-f44.google.com Received: from [209.85.128.44] ([209.85.128.44:34138] helo=mail-qe0-f44.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 93/82-34315-19288E15 for ; Thu, 18 Jul 2013 20:04:33 -0400 Received: by mail-qe0-f44.google.com with SMTP id 5so2139361qeb.31 for ; Thu, 18 Jul 2013 17:04:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=U7mH0bCkpOcOqcseu+2ksAbqHwTeqMJMAmFF8QUltSM=; b=AjeXe1zc2ObysPJxsRq7HpFcu2tEuN0G6AwjdfpyMotfFYCfpM3NaIEsOuTyyfgyA1 OMSdoeuxvbhYoOVk3Yx+//5NPuNtxhMiv3QfWIlThn2catL5w2md2fZFLwShxwlbbdn6 5IFpyt/v5XrDr25M7CDB9GuscYDWcP9C2uEekTqaHF9nik2G5UV0o2h2UXfZp2xJM1m5 HnEMlYbRWkDzHkbGkut5ilIuVPSifquS4QiBFmLKwEjKRlZ7bBvTdr+oTJTGhqOatGG/ vkuWBjrbPEPPedHGkgRAWSxtBS0K+4tvVP9esHApSt7UGNF+u9v5QGWR+A3nTu5n7R0I zKQw== X-Received: by 10.224.189.70 with SMTP id dd6mr16305733qab.24.1374192270605; Thu, 18 Jul 2013 17:04:30 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.224.116.207 with HTTP; Thu, 18 Jul 2013 17:03:50 -0700 (PDT) In-Reply-To: References: Date: Fri, 19 Jul 2013 09:03:50 +0900 X-Google-Sender-Auth: 8ZwYLWMnIIXS1ANSELdetlHxBjc Message-ID: To: Matthew Leverton Cc: Mario Brandt , Daniel Lowrey , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=20cf303346512482d104e1d212bc Subject: Re: [PHP-DEV] Re: Access-Control-Allow-Origin header in CLI server From: yohgaki@ohgaki.net (Yasuo Ohgaki) --20cf303346512482d104e1d212bc Content-Type: text/plain; charset=ISO-8859-1 Hi Matthew, 2013/7/7 Matthew Leverton > On Sat, Jul 6, 2013 at 7:59 AM, Mario Brandt wrote: > > You can use the router script to add that header of your desire into > > every request. > > > That's what I currently do. And I agree that if somebody wants to > deviate from the reasonable set of defaults that PHP provides, then he > must set them in a router script. I don't think the CLI server should > be a configurable web server. > > But IMO, this is no different from PHP maintaining and delivering a > small set of Content-type headers. Of course you could take the same > hardline approach and tell the developer to set all of the content > headers himself because you're worried that somebody might use PNG as > a data file that holds ping pong scores. But neither the existence of > this nor the content-type have any reasonable side effects. > > I'm just throwing this out here; I've got nothing more to say and am > fine with the powers-to-be doing whatever they feel appropriate. It would be nice if PHP encourages secure web application development. Not only having Access-Control-Allow-Origin but also 'X-Frame-Options' => 'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff' headers are best practice for better security. It may not be suitable as PHP core setting. However, it would be great for many users to have these as new core module setting. PHP would be better if PHP promotes secure app development. Number of recommended HTTP headers may increase. Perhaps, we should have php.ini entry that specify any HTTP headers and set defaults in php.ini-* Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --20cf303346512482d104e1d212bc--