-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Formatting, usage concerns #3
Comments
I tend to do most of my PHP work in the Magento community and was getting ready to raise this concern myself (so glad I checked for existing issues before posting...) The project looks interesting & I've forked it myself for further study...I'm digging into some research on other similar types of work in the Magento space and will provide whatever input / assistance I can after that. Great work and thanks for sharing, Aidan! |
@ameliaikeda thanks for the feedback!
As I understand it, the PSR-2 standard would only require me to adjust method names? (Personally I prefer the clarity of under_scores to camelCase). Is there any case toward renaming my private methods and variables for this change, or would adjusting the public scope be sufficient? Renaming the public methods would be pretty easily done, probably most of the work will be adjusting the wiki.
These two were on my list of things I planned to get to eventually, it's good to know people are looking for them – will make this a priority! |
Any suggestions you have that would help the adoption within major frameworks is something I'll try my best to get done ASAP! 😄 Would be great to get this as easy to use as possible. |
Private methods can generally be any format, really, but in actual practice in PHP with libraries, you may find it a good idea to mark your "private" code as Personally I'd say go for consistency throughout everything, because then contributing is so much easier.
I'd be happy to figure out a Laravel solution, since I have a fair bit of internals knowledge. It'd be easy enough to make a generic middleware for it. |
Also, PSR-2 is far more involved than that but everyone just uses an automatic formatter 😛 |
Interesting library for sure! 👍 Not sure whether this belongs here, but the issue is titled "Usage concerns", so I may as well expand the discussion... The way the library is currently set up, it might be hard to integrate into any modern PHP framework. That's because they typically do not use PHP's global request context methods (such as Most notably, this would probably be PSR-7 requests/responses or the equivalents from Symfony's HttpFoundation component. So, my first suggestion would be to split the configuration. generation and actual writing of the headers / cookies into separate classes: you'd have a factory that is used for configuring the headers, a class that creates the appropriate HTTP headers and cookies (only the strings) from that configuration, and finally an adapter that actually writes them to either a HTTP response object, or PHP's global functions. We could then create different adapters for integration with frameworks / other projects: I'd suggest three implementations, for PSR-7, Symfony, as well as the This might seem like overkill, but IMO it would greatly help in a) integratability (I might have made that word up), b) maintainability and c) testability. If you're interested, I would gladly help in transitioning the package. :) |
I wholeheartedly agree with @franzliedke! This package has a lot of potential but lacks the standards most of the PHP community has adopted, so it will probably be overlooked pretty quickly 😃 To expand on the automatic formatter @ameliaikeda mentioned, this one is used the most, but styleci can fix all of that after you push to GitHub with a pull request, if you prefer that. |
Also, concerning PSR-2; I was hesitant at first too, but taking on a standard really lowers the barrier of entry for new contributors to open source projects like this one as well. After having worked with it a couple of weeks, I couldn't do without 😄 |
Keep the feedback coming!
I was considering creating a SecureHeadersCore kind of class a while back actually. I wonder how much actually needs doing though: SecureHeaders has its own setters for headers, but it actually extracts headers (and cookies) from PHPs internal list and then passes them off to the setters as part of an import (see: SecureHeaders/SecureHeaders.php Lines 789 to 848 in 14d30d8
I guess what I'm saying here is that, provided the headers are loaded into PHPs list when In fact, if you've already configured csp in SecureHeaders for example, and SecureHeaders finds a CSP header – it will perform a merge on the two policies. So the two modes are already pretty compatible. (For the full chain of events when done is called, check out done in code, and the wiki ) Going back to:
Would be an easy change! The Do you mind opening a separate issue for splitting up the class as you've suggested? I'll use this as a general progress issue to keep track of the separate usability concerns. @ameliaikeda, @beejhuff, @svenluijten Looks like the consensus here is to move over to PSR-2 naming conventions. I'll definitely implement this for public methods, and protected variables. The private stuff I can move over a bit later (without breaking backwards compatibility too). |
I don't think you should worry too much about backwards compatibility. Simply tag a new major release (1.0.0, perhaps?). That way you wouldn't be breaking semver either. |
@ameliaikeda @beejhuff @svenluijten How's this looking? |
@aidantwoods you need a namespace if you're going to be using a package. I'd suggest |
@ameliaikeda You're right that that is common convention, but it's not actually required for a relatively small & simple package like this. Of course, once complexity gets to a point where a one-file package isn't enough, you might consider namespacing it and putting it in a |
Hey @aidantwoods great library, but hardly integrable within any modern framework as @franzliedke said I feel it would definitely be worth changing the structure of the project. |
@lucasmichot I'll get something pushed soon that splits SecureHeaders into more easily separable components as suggested by @franzliedke. Hopefully then it should just be a case of making adapters for particular frameworks 😄 |
@aidantwoods: you can't use any of the built-in PHP functions with most modern frameworks. They generally have a concept of "header bags", "cookie jars" and so on that are all set in advance, and all of the processing/sending a response is done after your code has completed. In order for this package to be used in Laravel (example only because I know it), you'd need the ability to pass in arbitrary cookies, and to pass in headers, as well as fetch headers/cookies back out of the state to transform back into a Also @svenluijten: a "simple" single class is still not an excuse to be using the global namespace ^^; |
I know @ameliaikeda, but I also don't think we should force anyone to use something just because it's a convention. Using the global namespace can cause some conflicts, but it's fine for now. Maybe in a future refactor when it's actually becoming a problem, it can be fixed. |
#8 is a good start maybe |
Lots of PR have been merged today thanks to @aidantwoods I believed Symfony and Laravel might come very soon 💯 ! |
@lucasmichot thanks again for all the good work with those PRs! 😄 |
Since this issue is about usability, I guess this is still relevant 😉 Does anyone have any thoughts on the behaviour I've introduced into type exceptions, discussed here. To summarise, functions have been designed to throw exceptions when given a type that they can't make any sense of. However, because throwing an exception causes output – PHP will send its current list of header immediately. This means that SecureHeaders no longer has the ability to modify headers, or even give PHP the ones that have already been configured successfully. I didn't want to remove exceptions, I think it's important that the programmer is made aware of the error if they're available. However, there is always the possibility that these exceptions will happen outside of testing. For that case I introduced an extension to the I feel that this method best honours the programmer's intent by sending headers that they have already configured, and also by producing the exception to let them know that something is wrong (if they're available to see it). @franzliedke has pointed out a few counter points to this, which you can read in full starting here. It would be valuable to get some more feedback on whether this should/should not be a feature/should be a feature but the default should be [x]. Thanks! |
Lots of work on this front, hopefully all summed up in https://github.com/aidantwoods/SecureHeaders/milestone/1 Let me know if you'd like to see anything added to that: open an Issue/PR :) Planning to close this issue once that milestone is all complete – let me know of any objections to that! |
While I love the idea of SecureHeaders being adoptable everywhere, you're not using PSR-1/PSR-4, you've not got this package on composer, and the vast majority of PHP code that is going to be updated will not be able to simply just include it.
In addition, it'd need to be modified so that all the major frameworks currently in use (wordpress/laravel/symfony2/drupal) can actually include it at the correct stages of their lifecycles without needing to modify core code. That one's far more tricky.
A few things you could do to cut down on work:
People haven't really done the download package / require files / use library approach in several years for newer projects at this point, and it'd be a shame for this package to just die from lack of use.
The text was updated successfully, but these errors were encountered: