@@ -252,7 +252,12 @@ The callback receives the ``StreamResponse`` instance. ``StreamResponse::write()
252252returns ``false `` once the client has disconnected, so you can stop producing
253253output early. By default, every ``write() `` flushes output to the client
254254immediately. When writing many small chunks, pass ``false `` as the second
255- argument and call ``StreamResponse::flush() `` at intervals instead.
255+ argument and call ``StreamResponse::flush() `` at intervals instead - the
256+ example above flushes once per batch.
257+
258+ The callback is not limited to ``write() ``: you may also write directly to
259+ ``php://output `` (for example, with ``fputcsv() `` for CSV exports), calling
260+ ``flush() `` and ``StreamResponse::isClientConnected() `` yourself.
256261
257262Alternatively, you may pass an iterable of string chunks (such as a generator),
258263and each chunk is written and flushed in order:
@@ -264,16 +269,25 @@ Headers and Status Code
264269
265270Set the content type, status code, and any custom headers **before ** returning
266271the response - anything set inside the callback will be too late. Unless you
267- have already set them, ``StreamResponse `` applies ``X-Accel-Buffering: no `` and
268- ``Content-Encoding: identity `` to discourage intermediaries from buffering or
269- compressing the stream.
272+ have already set it, ``StreamResponse `` applies ``X-Accel-Buffering: no `` to
273+ discourage intermediaries from buffering the stream. PHP's zlib output
274+ compression is turned off automatically, but if your web server or CDN
275+ compresses responses (e.g., nginx ``gzip `` or Apache ``mod_deflate ``), configure
276+ it to skip your streaming endpoints - compression can delay chunk delivery.
270277
271278The response is streamed: output buffering is disabled, the PHP time limit is
272279removed, and the session is closed to avoid blocking other requests. After
273280filters still run and may set headers, but they must not rely on the response
274281body. View rendering and decorators are not applied - stream your output in
275282the callback.
276283
284+ If :doc: `Content Security Policy </outgoing/csp >` is enabled, the
285+ ``Content-Security-Policy `` header is sent as usual. However, nonce
286+ placeholders cannot be replaced in a streamed body. When streaming HTML that
287+ needs a nonce, call ``$this->response->getCSP()->getScriptNonce() `` (or
288+ ``getStyleNonce() ``) **before ** returning the response and embed the returned
289+ value in your output yourself.
290+
277291``StreamResponse `` does not set a ``Content-Length `` header by default, since
278292the body length is typically unknown in advance. Without it, clients cannot
279293display download progress or resume interrupted transfers. If you do know the
@@ -369,9 +383,9 @@ Production Considerations
369383Some server stacks and CDNs buffer or compress responses (e.g., Apache with
370384``mod_deflate ``), which can break real-time SSE delivery.
371385``SSEResponse `` disables PHP output buffering, turns off zlib output
372- compression, and sets ``Content-Encoding: identity `` and `` X-Accel-Buffering: no ``.
373- However, intermediaries may still buffer or compress, so configure your web server
374- or CDN to disable buffering/compression for SSE endpoints.
386+ compression, and sets ``X-Accel-Buffering: no ``. However, intermediaries may
387+ still buffer or compress, so configure your web server or CDN to disable
388+ buffering/compression for SSE endpoints.
375389
376390Example: Product-Oriented Use Case
377391----------------------------------
0 commit comments