From bbe8c207031140906f5fb8155133202958ddd8b6 Mon Sep 17 00:00:00 2001 From: Marcin Rataj Date: Thu, 19 May 2022 20:11:19 +0200 Subject: [PATCH] fix: JS caching via Access-Control-Expose-Headers (#8984) This fix safelists additional headers allowing JS running on websites to read them when IPFS resource is downloaded via Fetch API. These headers provide metadata necessary for making smart caching decisions when IPFS resources are downloaded via Service Worker or a similar middleware on the edge. (cherry picked from commit 650bc246ab4a7c2a11a207e3bf9d74c07d190eb7) --- core/corehttp/gateway.go | 3 +++ test/sharness/t0112-gateway-cors.sh | 13 +++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/core/corehttp/gateway.go b/core/corehttp/gateway.go index a4ae5383179a..84ad13897c8a 100644 --- a/core/corehttp/gateway.go +++ b/core/corehttp/gateway.go @@ -84,9 +84,12 @@ func GatewayOption(writable bool, paths ...string) ServeOption { headers[ACEHeadersName] = cleanHeaderSet( append([]string{ + "Content-Length", "Content-Range", "X-Chunked-Output", "X-Stream-Output", + "X-Ipfs-Path", + "X-Ipfs-Roots", }, headers[ACEHeadersName]...)) var gateway http.Handler = newGatewayHandler(GatewayConfig{ diff --git a/test/sharness/t0112-gateway-cors.sh b/test/sharness/t0112-gateway-cors.sh index cebb4e05aabc..4bb2a509029c 100755 --- a/test/sharness/t0112-gateway-cors.sh +++ b/test/sharness/t0112-gateway-cors.sh @@ -26,7 +26,10 @@ test_expect_success "GET response for Gateway resource looks good" ' grep "< Access-Control-Allow-Origin: \*" curl_output && grep "< Access-Control-Allow-Methods: GET" curl_output && grep "< Access-Control-Allow-Headers: Range" curl_output && - grep "< Access-Control-Expose-Headers: Content-Range" curl_output + grep "< Access-Control-Expose-Headers: Content-Range" curl_output && + grep "< Access-Control-Expose-Headers: Content-Length" curl_output && + grep "< Access-Control-Expose-Headers: X-Ipfs-Path" curl_output && + grep "< Access-Control-Expose-Headers: X-Ipfs-Roots" curl_output ' # HTTP OPTIONS Request @@ -40,7 +43,10 @@ test_expect_success "OPTIONS response for Gateway resource looks good" ' grep "< Access-Control-Allow-Origin: \*" curl_output && grep "< Access-Control-Allow-Methods: GET" curl_output && grep "< Access-Control-Allow-Headers: Range" curl_output && - grep "< Access-Control-Expose-Headers: Content-Range" curl_output + grep "< Access-Control-Expose-Headers: Content-Range" curl_output && + grep "< Access-Control-Expose-Headers: Content-Length" curl_output && + grep "< Access-Control-Expose-Headers: X-Ipfs-Path" curl_output && + grep "< Access-Control-Expose-Headers: X-Ipfs-Roots" curl_output ' test_kill_ipfs_daemon @@ -63,6 +69,9 @@ test_expect_success "Access-Control-Allow-Headers extends" ' grep "< Access-Control-Allow-Headers: Range" curl_output && grep "< Access-Control-Allow-Headers: X-Custom1" curl_output && grep "< Access-Control-Expose-Headers: Content-Range" curl_output && + grep "< Access-Control-Expose-Headers: Content-Length" curl_output && + grep "< Access-Control-Expose-Headers: X-Ipfs-Path" curl_output && + grep "< Access-Control-Expose-Headers: X-Ipfs-Roots" curl_output && grep "< Access-Control-Expose-Headers: X-Custom2" curl_output '