You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@perl.apache.org by "Philippe M. Chiasson" <go...@ectoplasm.org> on 2005/01/06 21:04:04 UTC
[Patch mp2] X-Powered-By
Once again, a leaner cleaner way to implement our own X-Powered-By header ala
PHP. (missing docs/tests)
Thoughts on concept ?
--------------------------------------------------------------------------------
Philippe M. Chiasson m/gozer\@(apache|cpan|ectoplasm)\.org/ GPG KeyID : 88C3A5A5
http://gozer.ectoplasm.org/ F9BF E0C2 480E 7680 1AE5 3631 CB32 A107 88C3A5A5
Re: [Patch mp2] X-Powered-By
Posted by Joe Orton <jo...@redhat.com>.
On Thu, Jan 06, 2005 at 12:04:04PM -0800, Philippe M. Chiasson wrote:
> Once again, a leaner cleaner way to implement our own X-Powered-By
> header ala PHP. (missing docs/tests)
FWIW I think X-Powered-By: is a trend of really poor taste. If every
module or filter decided that it was too important for just the Server:
header, your responses would get clogged up with advertising spam or
your httpd.conf's with "ModFooHeaderSpam Off" directives turning it all
off again. But just my 2p ;)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by "Philippe M. Chiasson" <go...@ectoplasm.org>.
Markus Wichitill wrote:
> Stas Bekman wrote:
>
>>6. document how to add this header from their perl code.
>>
>>+1
>
> Would also allow to expose even more details for those who want to:
>
> <Perl>
> $PerlConfig .=
> "Header set X-Powered-By '$ENV{MOD_PERL} CGI.pm/$CGI::VERSION'";
> </Perl>
>
> (requires mod_headers, which comes with Apache2)
Sure is a neat little piece of code. One problem with it though is that it
will set that headers even for static content.
I think it's certainly a good enough example to add to the docs for the folks
who want to send X-Powered-By headers if we don't end up implementing it though.
--------------------------------------------------------------------------------
Philippe M. Chiasson m/gozer\@(apache|cpan|ectoplasm)\.org/ GPG KeyID : 88C3A5A5
http://gozer.ectoplasm.org/ F9BF E0C2 480E 7680 1AE5 3631 CB32 A107 88C3A5A5
Re: [Patch mp2] X-Powered-By
Posted by Markus Wichitill <ma...@gmx.de>.
Stas Bekman wrote:
> 6. document how to add this header from their perl code.
>
> +1
Would also allow to expose even more details for those who want to:
<Perl>
$PerlConfig .=
"Header set X-Powered-By '$ENV{MOD_PERL} CGI.pm/$CGI::VERSION'";
</Perl>
(requires mod_headers, which comes with Apache2)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by Stas Bekman <st...@stason.org>.
Philippe M. Chiasson wrote:
> As it stands, there is some division on the idea of sending out
> X-Powered-By headers
> just like PHP does. The various idea that I believe were suggested were:
>
> 1. Send it by default, runtime disable with PerlOptions -HTTPExpose
> 2. Send it by default, no way to disable
> 3. Not send it by default, runtime enable with PerlOptions +HTTPExpose
> 4. Not implement it at all
+1
> 5. Compile-time enable/disable (combined with either 1, 2 or 3)
6. document how to add this header from their perl code.
+1
> How does everybody feels about each of these options ?
--
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by "Philippe M. Chiasson" <go...@ectoplasm.org>.
Joe Schaefer wrote:
> Geoffrey Young <ge...@modperlcookbook.org> writes:
>
> [...]
>
>>/me remembers a talk where he uses mod_perl to remove that "silly
>>X-Powered-By PHP thing"
>
> ROTFL (and in complete agreement).
>
LOL, and in this case, I think it's pretty clear that X-Powered-By should _not_
be implemented at all in the core.
If someone really wants it, the patch will still be in the mail-archives.
Moving on ;-)
--------------------------------------------------------------------------------
Philippe M. Chiasson m/gozer\@(apache|cpan|ectoplasm)\.org/ GPG KeyID : 88C3A5A5
http://gozer.ectoplasm.org/ F9BF E0C2 480E 7680 1AE5 3631 CB32 A107 88C3A5A5
Re: [Patch mp2] X-Powered-By
Posted by Joe Schaefer <jo...@sunstarsys.com>.
Geoffrey Young <ge...@modperlcookbook.org> writes:
[...]
> /me remembers a talk where he uses mod_perl to remove that "silly
> X-Powered-By PHP thing"
ROTFL (and in complete agreement).
--
Joe Schaefer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
> My reasoning for not including it even as an optinal feature, is that it
> introduces an unnecessary overhead. even though it's just a flag check,
> if it happens for all http phases, it happens for each phase.
actually, that's a good point. unlike php, which is content only, at what
point do we want to advertise that site foo is mod_perl "powered" if it runs
in _any_ phase? a simple PerlTransHandler gives it "MOD_PERL POWER!!!!"
(echo, echo...)?
thinking about it like this, I'm ambivalent as to whether I want it in core
at all. adding to the server tokens should be fine enough I'd think.
--Geoff
/me remembers a talk where he uses mod_perl to remove that "silly
X-Powered-By PHP thing"
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by Stas Bekman <st...@stason.org>.
Perrin Harkins wrote:
> On Wed, 2005-01-12 at 14:34 -0800, Philippe M. Chiasson wrote:
>
>>As it stands, there is some division on the idea of sending out X-Powered-By headers
>>just like PHP does. The various idea that I believe were suggested were:
>>
>>1. Send it by default, runtime disable with PerlOptions -HTTPExpose
>>2. Send it by default, no way to disable
>>3. Not send it by default, runtime enable with PerlOptions +HTTPExpose
>>4. Not implement it at all
>>5. Compile-time enable/disable (combined with either 1, 2 or 3)
>>
>>How does everybody feels about each of these options ?
>
>
> Anything but 2 is fine with me. I don't have a strong opinion about
> including this or not.
My reasoning for not including it even as an optinal feature, is that it
introduces an unnecessary overhead. even though it's just a flag check, if
it happens for all http phases, it happens for each phase. Granted it's
*very* small, but those small things add up. therefore if decided to add
this feature internally I'd be +1 to have it enabled only at compile time.
--
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by Perrin Harkins <pe...@elem.com>.
On Wed, 2005-01-12 at 14:34 -0800, Philippe M. Chiasson wrote:
> As it stands, there is some division on the idea of sending out X-Powered-By headers
> just like PHP does. The various idea that I believe were suggested were:
>
> 1. Send it by default, runtime disable with PerlOptions -HTTPExpose
> 2. Send it by default, no way to disable
> 3. Not send it by default, runtime enable with PerlOptions +HTTPExpose
> 4. Not implement it at all
> 5. Compile-time enable/disable (combined with either 1, 2 or 3)
>
> How does everybody feels about each of these options ?
Anything but 2 is fine with me. I don't have a strong opinion about
including this or not.
- Perrin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by "Philippe M. Chiasson" <go...@ectoplasm.org>.
As it stands, there is some division on the idea of sending out X-Powered-By headers
just like PHP does. The various idea that I believe were suggested were:
1. Send it by default, runtime disable with PerlOptions -HTTPExpose
2. Send it by default, no way to disable
3. Not send it by default, runtime enable with PerlOptions +HTTPExpose
4. Not implement it at all
5. Compile-time enable/disable (combined with either 1, 2 or 3)
How does everybody feels about each of these options ?
--------------------------------------------------------------------------------
Philippe M. Chiasson m/gozer\@(apache|cpan|ectoplasm)\.org/ GPG KeyID : 88C3A5A5
http://gozer.ectoplasm.org/ F9BF E0C2 480E 7680 1AE5 3631 CB32 A107 88C3A5A5
Re: [Patch mp2] X-Powered-By
Posted by Render Web <re...@ntlworld.com>.
Joe Schaefer wrote:
> Stas Bekman <st...@stason.org> writes:
>>So my latest vote on this is +0.
> Agreed, I'll go further and -0.5 it now. IMO it
> makes mp2 look toyish; but I understand the motivation
> for wanting such a feature.
Being a lurker I don't get a vote :-)
IMHO such things have only irritation value to anyone
that does paid work - someone playing with it on thier
home box may like the idea but would probably be more
impressed with being able to dynamically add headers
using the mod perl API via some really simple example.
Do we have a (simple) example that will allow some neophyte
to add a header to the output of any response?
If we do can we ship it with MP2 in a ready-to use
state?
Personally I would prefer to see that example as
something that differentiates how much more powerfull
MP is when compared to a template engine. :-)
Jacqui
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by Joe Schaefer <jo...@sunstarsys.com>.
Stas Bekman <st...@stason.org> writes:
[...]
> But on the other hand I tend to agree with Joe Orton, that may be
> trying to copy that "feature" from php is not the best idea, as
> adding an extra mostly useless payload to each response is not the
> best thing to do. Especially if ServerToken is already set to full.
>
> So my latest vote on this is +0.
Agreed, I'll go further and -0.5 it now. IMO it
makes mp2 look toyish; but I understand the motivation
for wanting such a feature.
--
Joe Schaefer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by Stas Bekman <st...@stason.org>.
Philippe M. Chiasson wrote:
> Stas Bekman wrote:
>
>> Philippe M. Chiasson wrote:
>>
>>> Perrin Harkins wrote:
>>>
>>>> On Thu, 2005-01-06 at 13:49 -0800, Philippe M. Chiasson wrote:
>>>>
>>>> [...]
>>>
>>>
>>> I can understand the concerns. I am looking for a suggestion that
>>> would put us
>>> on equal footing with what php is doing.
>>>
>>> It seems PHP has a flag expose_php that is on by default. So I guess
>>> we could just
>>> do the same:
>>>
>>> ModPerlExpose On|Off
>>>
>>> And have it default to On as well? Would that accomodate people's
>>> concerns ?
>>
>>
>> As it's HTTP-specific, I'd rather call it:
>>
>> ModPerlHTTPExpose On|Off
>>
>> not to mislead users.
>
>
> How about this instead:
>
> PerlOption (+|-)ExposeHttp
> or
> PerlOption (+|-)HttpExpose
That's better, but in either case it should be HTTP (not Http)
But on the other hand I tend to agree with Joe Orton, that may be trying
to copy that "feature" from php is not the best idea, as adding an extra
mostly useless payload to each response is not the best thing to do.
Especially if ServerToken is already set to full.
So my latest vote on this is +0.
--
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by Stas Bekman <st...@stason.org>.
Philippe M. Chiasson wrote:
> Perrin Harkins wrote:
>
>> On Thu, 2005-01-06 at 13:49 -0800, Philippe M. Chiasson wrote:
>>
>>> Actually, I'd have to say the reason to come up with X-Powered-By is
>>> specifically
>>> (well sorta) to get mod_perl advertised no matter what ServerTokens
>>> is set to.
>>
>>
>> People will be upset if you make it hard to hide which modules are
>> running. I have met a number of paranoid sysadmins who would blow a
>> gasket over things like this. I suggest being conservative here.
>
>
> I can understand the concerns. I am looking for a suggestion that would
> put us
> on equal footing with what php is doing.
>
> It seems PHP has a flag expose_php that is on by default. So I guess we
> could just
> do the same:
>
> ModPerlExpose On|Off
>
> And have it default to On as well? Would that accomodate people's
> concerns ?
As it's HTTP-specific, I'd rather call it:
ModPerlHTTPExpose On|Off
not to mislead users.
--
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by Joe Schaefer <jo...@sunstarsys.com>.
Perrin Harkins <pe...@elem.com> writes:
> On Thu, 2005-01-06 at 15:35 -0800, Philippe M. Chiasson wrote:
>> It seems PHP has a flag expose_php that is on by default. So I guess
>> we could just do the same:
>>
>> ModPerlExpose On|Off
>>
>> And have it default to On as well? Would that accomodate people's concerns ?
>
> +1
Cool.
--
Joe Schaefer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by Perrin Harkins <pe...@elem.com>.
On Thu, 2005-01-06 at 15:35 -0800, Philippe M. Chiasson wrote:
> It seems PHP has a flag expose_php that is on by default. So I guess we could just
> do the same:
>
> ModPerlExpose On|Off
>
> And have it default to On as well? Would that accomodate people's concerns ?
+1
- Perrin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by Ian Holsman <li...@holsman.net>.
Philippe M. Chiasson wrote:
> Perrin Harkins wrote:
>
>> On Thu, 2005-01-06 at 13:49 -0800, Philippe M. Chiasson wrote:
>>
>>> Actually, I'd have to say the reason to come up with X-Powered-By is
>>> specifically
>>> (well sorta) to get mod_perl advertised no matter what ServerTokens
>>> is set to.
>>
>>
>> People will be upset if you make it hard to hide which modules are
>> running. I have met a number of paranoid sysadmins who would blow a
>> gasket over things like this. I suggest being conservative here.
>
>
> I can understand the concerns. I am looking for a suggestion that would
> put us
> on equal footing with what php is doing.
>
> It seems PHP has a flag expose_php that is on by default. So I guess we
> could just
> do the same:
>
> ModPerlExpose On|Off
>
> And have it default to On as well? Would that accomodate people's
> concerns ?
+1 from here.
just remember to bury the way to turn it off, as PHP does ;-)
>
> --------------------------------------------------------------------------------
>
> Philippe M. Chiasson m/gozer\@(apache|cpan|ectoplasm)\.org/ GPG KeyID :
> 88C3A5A5
> http://gozer.ectoplasm.org/ F9BF E0C2 480E 7680 1AE5 3631 CB32 A107
> 88C3A5A5
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by "Philippe M. Chiasson" <go...@ectoplasm.org>.
Perrin Harkins wrote:
> On Thu, 2005-01-06 at 13:49 -0800, Philippe M. Chiasson wrote:
>
>>Actually, I'd have to say the reason to come up with X-Powered-By is specifically
>>(well sorta) to get mod_perl advertised no matter what ServerTokens is set to.
>
> People will be upset if you make it hard to hide which modules are
> running. I have met a number of paranoid sysadmins who would blow a
> gasket over things like this. I suggest being conservative here.
I can understand the concerns. I am looking for a suggestion that would put us
on equal footing with what php is doing.
It seems PHP has a flag expose_php that is on by default. So I guess we could just
do the same:
ModPerlExpose On|Off
And have it default to On as well? Would that accomodate people's concerns ?
--------------------------------------------------------------------------------
Philippe M. Chiasson m/gozer\@(apache|cpan|ectoplasm)\.org/ GPG KeyID : 88C3A5A5
http://gozer.ectoplasm.org/ F9BF E0C2 480E 7680 1AE5 3631 CB32 A107 88C3A5A5
Re: [Patch mp2] X-Powered-By
Posted by Joe Schaefer <jo...@sunstarsys.com>.
Perrin Harkins <pe...@elem.com> writes:
> On Thu, 2005-01-06 at 13:49 -0800, Philippe M. Chiasson wrote:
>> Actually, I'd have to say the reason to come up with X-Powered-By is
>> specifically (well sorta) to get mod_perl advertised no matter what
>> ServerTokens is set to.
>
> People will be upset if you make it hard to hide which modules are
> running. I have met a number of paranoid sysadmins who would blow a
> gasket over things like this. I suggest being conservative here.
+1
--
Joe Schaefer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by Perrin Harkins <pe...@elem.com>.
On Thu, 2005-01-06 at 13:49 -0800, Philippe M. Chiasson wrote:
> Actually, I'd have to say the reason to come up with X-Powered-By is specifically
> (well sorta) to get mod_perl advertised no matter what ServerTokens is set to.
People will be upset if you make it hard to hide which modules are
running. I have met a number of paranoid sysadmins who would blow a
gasket over things like this. I suggest being conservative here.
- Perrin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by "Philippe M. Chiasson" <go...@ectoplasm.org>.
Geoffrey Young wrote:
> Geoffrey Young wrote:
>>Philippe M. Chiasson wrote:
>>
>>+1 on concept
>
> actually, I would consider making it respect the value of ServerTokens,
> maybe only sending X-Powered-By it for a subset of available values for
> security (well obscurity) reasons.
Actually, I'd have to say the reason to come up with X-Powered-By is specifically
(well sorta) to get mod_perl advertised no matter what ServerTokens is set to.
I guess we could use ServerTokens to possibly hide some information:
X-Powered-By: mod_perl/2.0.0
vs
X-Powered-By: mod_perl/2.x.x
--------------------------------------------------------------------------------
Philippe M. Chiasson m/gozer\@(apache|cpan|ectoplasm)\.org/ GPG KeyID : 88C3A5A5
http://gozer.ectoplasm.org/ F9BF E0C2 480E 7680 1AE5 3631 CB32 A107 88C3A5A5
Re: [Patch mp2] X-Powered-By
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
Geoffrey Young wrote:
>
> Philippe M. Chiasson wrote:
>
>>Once again, a leaner cleaner way to implement our own X-Powered-By
>>header ala
>>PHP. (missing docs/tests)
>>
>>Thoughts on concept ?
>
>
> +1 on concept
actually, I would consider making it respect the value of ServerTokens,
maybe only sending X-Powered-By it for a subset of available values for
security (well obscurity) reasons.
--Geoff
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: [Patch mp2] X-Powered-By
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
Philippe M. Chiasson wrote:
> Once again, a leaner cleaner way to implement our own X-Powered-By
> header ala
> PHP. (missing docs/tests)
>
> Thoughts on concept ?
+1 on concept.
--Geoff
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org