using add_header unconditionally means they will always be added to the response. This means, eg, if Craft tries to add a Content-Security-Policy header, you'll end up 2 Content-Security-Policy headers, which results in a CORS error
Similarly, there is no way to unset a header set by nginx when you need to, like X-Frame-Options
Most of these issues appear with multisite and preview, as you're dealing with multiple domains.
As a rule though, I don't think we should set any headers that could be set in PHP/Craft, as it means they cannot be overridden in the response.
These headers are problematic for a few reasons:
add_header
unconditionally means they will always be added to the response. This means, eg, if Craft tries to add aContent-Security-Policy
header, you'll end up 2Content-Security-Policy
headers, which results in a CORS errorX-Frame-Options
Most of these issues appear with multisite and preview, as you're dealing with multiple domains. As a rule though, I don't think we should set any headers that could be set in PHP/Craft, as it means they cannot be overridden in the response.