This is not the sort of thing that belongs in an HTTP server by
default. It's a one-off header that some users may elect to send but
the vast majority will not. If you need to simulate the feature of an
third-party server mod/plugin you should manually make a
header('Access-Control-Allow-Origin: ...') as needed in your
development code.
From an HTTP standpoint, baking this directly into the CLI server
doesn't make much sense IMO.
This is not the sort of thing that belongs in an HTTP server by
default. It's a one-off header that some users may elect to send but
the vast majority will not.
Of course I agree if you were speaking about a production web server.
--
Matthew Leverton
You can use the router script to add that header of your desire into
every request.
Cheers
Mario
This is not the sort of thing that belongs in an HTTP server by
default. It's a one-off header that some users may elect to send but
the vast majority will not.Of course I agree if you were speaking about a production web server.
--
Matthew Leverton
You can use the router script to add that header of your desire into
every request.
That's what I currently do. And I agree that if somebody wants to
deviate from the reasonable set of defaults that PHP provides, then he
must set them in a router script. I don't think the CLI server should
be a configurable web server.
But IMO, this is no different from PHP maintaining and delivering a
small set of Content-type headers. Of course you could take the same
hardline approach and tell the developer to set all of the content
headers himself because you're worried that somebody might use PNG as
a data file that holds ping pong scores. But neither the existence of
this nor the content-type have any reasonable side effects.
I'm just throwing this out here; I've got nothing more to say and am
fine with the powers-to-be doing whatever they feel appropriate.
--
Matthew Leverton
Hi Matthew,
2013/7/7 Matthew Leverton leverton@gmail.com
You can use the router script to add that header of your desire into
every request.That's what I currently do. And I agree that if somebody wants to
deviate from the reasonable set of defaults that PHP provides, then he
must set them in a router script. I don't think the CLI server should
be a configurable web server.But IMO, this is no different from PHP maintaining and delivering a
small set of Content-type headers. Of course you could take the same
hardline approach and tell the developer to set all of the content
headers himself because you're worried that somebody might use PNG as
a data file that holds ping pong scores. But neither the existence of
this nor the content-type have any reasonable side effects.I'm just throwing this out here; I've got nothing more to say and am
fine with the powers-to-be doing whatever they feel appropriate.
It would be nice if PHP encourages secure web application development.
Not only having
Access-Control-Allow-Origin
but also
'X-Frame-Options' => 'SAMEORIGIN',
'X-XSS-Protection' => '1; mode=block',
'X-Content-Type-Options' => 'nosniff'
headers are best practice for better security.
It may not be suitable as PHP core setting. However, it would
be great for many users to have these as new core module setting.
PHP would be better if PHP promotes secure app development.
Number of recommended HTTP headers may increase.
Perhaps, we should have php.ini entry that specify any HTTP headers
and set defaults in php.ini-*
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net