如何在PHP中为amp-form输出正确的标题？

Question

关于放大器形式的CORS标题的文档可能更容易,我仍然有点不知道我是否已经做好了一切.

现在,我的表单似乎可以在我自己的网站以及Google的AMP结果中使用.但是,它不适用于我的开发网站; 我也不确定它是否真的非常安全.这是我目前使用的代码,一个生活在https://podnews.net上的脚本

这是大量试验和错误的结果,我不禁想到文档可以更清楚地解决这个问题.

header('Cache-Control: private, no-cache');
header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_ORIGIN']);
header('Access-Control-Allow-Credentials: true');
header('access-control-expose-headers: AMP-Access-Control-Allow-Source-Origin');
header('AMP-Access-Control-Allow-Source-Origin: https://podnews.net');
header('Content-Type: application/json');

特别是:$_SERVER['HTTP_ORIGIN']根据我的理解,可以包括AMP缓存.

这里有什么正确的有效值？如何添加多个值(假设至少有两个AMP缓存)？为什么它不在开发站点上运行,这类似于http://dev.podnews.net(它启动的错误是CORS,而不是关于在HTTP而不是HTTPS).如何编写本文以便所有AMP开发人员都能轻松参考？

Answer 1

经过更多的摆弄,我认为答案是这里相当笨重的代码:

header('Cache-Control: private, no-cache');

$thisDomain="https://podnews.net"; // The main production domain
$devDomain="http://dev.podnews.net"; // The development domain

$googleAMPCacheSubdomain=str_replace(".","-",str_replace("-","--",$thisDomain));

//If you use an IDN, you've got more work to do in the above to work out your AMP cache subdomain
//https://github.com/ampproject/amphtml/blob/master/spec/amp-cors-requests.md has details

$validOrigins=array('https://'.$googleAMPCacheSubdomain.'.cdn.ampproject.org','https://cdn.ampproject.org','https://amp.cloudflare.com',$thisDomain,$devDomain);

if (!in_array($_SERVER['HTTP_ORIGIN'],$validOrigins)) {
    header('X-Debug: '.$_SERVER['HTTP_ORIGIN'].' is an unrecognised origin');
    header('HTTP/1.0 403 Forbidden');exit;

    //Stop doing anything if this is an unfamiliar origin
}

if ($_GET['__amp_source_origin']!=$thisDomain AND $_GET['__amp_source_origin']!=$devDomain) {
    header('X-Debug: '.$_GET['__amp_source_origin'].' is an unrecognised source origin');
    header('HTTP/1.0 403 Forbidden');exit;

    //Stop doing anything if this is an unfamiliar source origin
    //Note: if using Amazon Cloudfront, don't forget to allow query strings through
}

header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_ORIGIN']);
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Expose-Headers: AMP-Access-Control-Allow-Source-Origin');
header('AMP-Access-Control-Allow-Source-Origin: '.urldecode($_GET['__amp_source_origin']));
header('Content-Type: application/json');
// You're in!

我希望这是一个很好的复制/粘贴能力的答案,其他人可能觉得有用.这是一项艰苦的工作!