1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-29 08:50:58 +01:00
phorge-phorge/src/aphront
epriestley 439821c7b2 Don't require one-time tokens to view file resources
Summary:
Ref T10262. This removes one-time tokens and makes file data responses always-cacheable (for 30 days).

The URI will stop working once any attached object changes its view policy, or the file view policy itself changes.

Files with `canCDN` (totally public data like profile images, CSS, JS, etc) use "cache-control: public" so they can be CDN'd.

Files without `canCDN` use "cache-control: private" so they won't be cached by the CDN. They could still be cached by a misbehaving local cache, but if you don't want your users seeing one anothers' secret files you should configure your local network properly.

Our "Cache-Control" headers were also from 1999 or something, update them to be more modern/sane. I can't find any evidence that any browser has done the wrong thing with this simpler ruleset in the last ~10 years.

Test Plan:
  - Configured alternate file domain.
  - Viewed site: stuff worked.
  - Accessed a file on primary domain, got redirected to alternate domain.
  - Verified proper cache headers for `canCDN` (public) and non-`canCDN` (private) files.
  - Uploaded a file to a task, edited task policy, verified it scrambled the old URI.
  - Reloaded task, new URI generated transparently.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T10262

Differential Revision: https://secure.phabricator.com/D15642
2016-04-06 14:14:36 -07:00
..
__tests__ phtize all the things 2015-05-22 21:16:39 +10:00
configuration Use AphrontRequestStream to read request input 2016-03-17 08:08:18 -07:00
exception Replace AphrontUsageException with AphrontMalformedRequestException 2015-09-03 10:04:17 -07:00
handler Modularize Aphront exception handling 2015-09-03 10:04:42 -07:00
httpparametertype Support HTTP parameter prefilling in EditEngine forms for CustomFields 2015-12-02 09:32:26 -08:00
interface Allow Controllers to return a wider range of "response-like" objects 2015-09-01 15:52:52 -07:00
response Don't require one-time tokens to view file resources 2016-04-06 14:14:36 -07:00
sink Extend from Phobject 2015-06-15 18:02:27 +10:00
site Put back "PhabricatorResourceSite" 2015-12-11 08:22:16 -08:00
AphrontController.php Provide an AphrontController implementation of willSendResponse() 2015-09-07 17:18:35 -07:00
AphrontRequest.php Use large text columns to store IP addresses 2016-02-02 10:13:14 -08:00