Page MenuHomePhabricator

Don't require one-time tokens to view file resources
ClosedPublic

Authored by epriestley on Apr 6 2016, 8:42 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Dec 12, 6:33 AM
Unknown Object (File)
Tue, Dec 10, 5:22 PM
Unknown Object (File)
Sun, Dec 1, 5:37 PM
Unknown Object (File)
Nov 23 2024, 9:37 AM
Unknown Object (File)
Nov 20 2024, 12:30 PM
Unknown Object (File)
Nov 19 2024, 10:59 PM
Unknown Object (File)
Nov 16 2024, 6:44 AM
Unknown Object (File)
Nov 11 2024, 5:39 PM
Subscribers
None

Details

Summary

Ref T10262. This removes one-time tokens and makes file data responses always-cacheable (for 30 days).

The URI will stop working once any attached object changes its view policy, or the file view policy itself changes.

Files with canCDN (totally public data like profile images, CSS, JS, etc) use "cache-control: public" so they can be CDN'd.

Files without canCDN use "cache-control: private" so they won't be cached by the CDN. They could still be cached by a misbehaving local cache, but if you don't want your users seeing one anothers' secret files you should configure your local network properly.

Our "Cache-Control" headers were also from 1999 or something, update them to be more modern/sane. I can't find any evidence that any browser has done the wrong thing with this simpler ruleset in the last ~10 years.

Test Plan
  • Configured alternate file domain.
  • Viewed site: stuff worked.
  • Accessed a file on primary domain, got redirected to alternate domain.
  • Verified proper cache headers for canCDN (public) and non-canCDN (private) files.
  • Uploaded a file to a task, edited task policy, verified it scrambled the old URI.
  • Reloaded task, new URI generated transparently.

Diff Detail

Repository
rP Phabricator
Branch
fpolicy2
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 11559
Build 14439: Run Core Tests
Build 14438: arc lint + arc unit

Event Timeline

epriestley retitled this revision from to Don't require one-time tokens to view file resources.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
chad edited edge metadata.
This revision is now accepted and ready to land.Apr 6 2016, 8:48 PM
This revision was automatically updated to reflect the committed changes.