- Prior to T5685, files were protected by unguessable secrets in URIs.
- This is the standard method used by Facebook, Google, etc. However, it means that knowing a URL allows you to view the file data, and created a hypothetical risk where leaking, say, an access log might also leak valid URIs.
- This was unacceptable to WMF, and in T5685 we changed this behavior to issue and require one-time use tokens to view files.
- Uncachable images which require a one-time-token handshake to view cause performance problems essentially everywhere that we load file content.
- UIs where the user might want to page back and forth between images (like Pholio and Lightboxes) are particularly crippled.