From 650bc246ab4a7c2a11a207e3bf9d74c07d190eb7 Mon Sep 17 00:00:00 2001 From: Marcin Rataj Date: Thu, 19 May 2022 20:11:19 +0200 Subject: [PATCH] fix: JS caching via Access-Control-Expose-Headers (#8984) This fix safelists additional headers allowing JS running on websites to read them when IPFS resource is downloaded via Fetch API. These headers provide metadata necessary for making smart caching decisions when IPFS resources are downloaded via Service Worker or a similar middleware on the edge. --- core/corehttp/gateway.go | 3 +++ test/sharness/t0112-gateway-cors.sh | 13 +++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/core/corehttp/gateway.go b/core/corehttp/gateway.go index a4ae5383179..84ad13897c8 100644 --- a/core/corehttp/gateway.go +++ b/core/corehttp/gateway.go @@ -84,9 +84,12 @@ func GatewayOption(writable bool, paths ...string) ServeOption { headers[ACEHeadersName] = cleanHeaderSet( append([]string{ + "Content-Length", "Content-Range", "X-Chunked-Output", "X-Stream-Output", + "X-Ipfs-Path", + "X-Ipfs-Roots", }, headers[ACEHeadersName]...)) var gateway http.Handler = newGatewayHandler(GatewayConfig{ diff --git a/test/sharness/t0112-gateway-cors.sh b/test/sharness/t0112-gateway-cors.sh index cebb4e05aab..4bb2a509029 100755 --- a/test/sharness/t0112-gateway-cors.sh +++ b/test/sharness/t0112-gateway-cors.sh @@ -26,7 +26,10 @@ test_expect_success "GET response for Gateway resource looks good" ' grep "< Access-Control-Allow-Origin: \*" curl_output && grep "< Access-Control-Allow-Methods: GET" curl_output && grep "< Access-Control-Allow-Headers: Range" curl_output && - grep "< Access-Control-Expose-Headers: Content-Range" curl_output + grep "< Access-Control-Expose-Headers: Content-Range" curl_output && + grep "< Access-Control-Expose-Headers: Content-Length" curl_output && + grep "< Access-Control-Expose-Headers: X-Ipfs-Path" curl_output && + grep "< Access-Control-Expose-Headers: X-Ipfs-Roots" curl_output ' # HTTP OPTIONS Request @@ -40,7 +43,10 @@ test_expect_success "OPTIONS response for Gateway resource looks good" ' grep "< Access-Control-Allow-Origin: \*" curl_output && grep "< Access-Control-Allow-Methods: GET" curl_output && grep "< Access-Control-Allow-Headers: Range" curl_output && - grep "< Access-Control-Expose-Headers: Content-Range" curl_output + grep "< Access-Control-Expose-Headers: Content-Range" curl_output && + grep "< Access-Control-Expose-Headers: Content-Length" curl_output && + grep "< Access-Control-Expose-Headers: X-Ipfs-Path" curl_output && + grep "< Access-Control-Expose-Headers: X-Ipfs-Roots" curl_output ' test_kill_ipfs_daemon @@ -63,6 +69,9 @@ test_expect_success "Access-Control-Allow-Headers extends" ' grep "< Access-Control-Allow-Headers: Range" curl_output && grep "< Access-Control-Allow-Headers: X-Custom1" curl_output && grep "< Access-Control-Expose-Headers: Content-Range" curl_output && + grep "< Access-Control-Expose-Headers: Content-Length" curl_output && + grep "< Access-Control-Expose-Headers: X-Ipfs-Path" curl_output && + grep "< Access-Control-Expose-Headers: X-Ipfs-Roots" curl_output && grep "< Access-Control-Expose-Headers: X-Custom2" curl_output '