-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP Headers Cleanup: API and Gateway #132
Comments
/cc @hsanjuan |
Share App does not need this header. See also: - Potential problem with `Access-Control-Allow-Credentials`: ipfs/kubo#5745 - HTTP Headers Cleanup: ipfs/in-web-browsers#132
For the record, in Q4 2018 headers look like this 🙃 Public Gateway at ipfs.io$ curl -s -I -X GET https://ipfs.io/ipfs/QmbWqxBEKC3P8tqsKc98xmWNzrzDtRLMiMPL8wBuTGsMnR | grep -i Access-Control
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output
Access-Control-Expose-Headers: Content-Range, X-Chunked-Output, X-Stream-Output go-ipfs v0.4.18 defaults(equal to $ curl -s -I -X GET http://127.0.0.1:8080/ipfs/QmbWqxBEKC3P8tqsKc98xmWNzrzDtRLMiMPL8wBuTGsMnR | grep -i Access-Control
Access-Control-Allow-Headers: Content-Range, X-Chunked-Output, X-Stream-Output
Access-Control-Allow-Methods: PUT
Access-Control-Allow-Methods: GET
Access-Control-Allow-Methods: POST
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Range, X-Chunked-Output, X-Stream-Output js-ipfs v0.33.1 defaults(no $ curl -s -I -X GET http://127.0.0.1:9090/ipfs/QmbWqxBEKC3P8tqsKc98xmWNzrzDtRLMiMPL8wBuTGsMnR | grep -i Access-Control
access-control-allow-headers: X-Stream-Output, X-Chunked-Output, X-Content-Length
access-control-expose-headers: X-Stream-Output, X-Chunked-Output, X-Content-Length |
|
Summary
We should have:
Interop tests that ensure HTTP responses have the same headers and values, no matter which implementation is the backend
Diagnostic tool/script that can be run against any HTTP API or Gateway port and provide quick health status
Status
TODO
Go over below headers of interest and ensure proper safeguards are in place.
Gateway
X-Ipfs-Path
: IPFS Path of returned resourceEtag
: resolved CID/multihash of returned payloadIf-None-Match
headerCache-Control
:/ipfs/
namespaceCache-Control
for/ipns/
– https://github.com/ipfs/go-ipfs/issues/1818 / No cache-control on Host: based requests kubo#5968 / disable-last-modified-behaviour-ipns-routes kubo#8074Stale-While-Revalidate
in browsers https://www.mnot.net/blog/2014/06/01/chrome_and_stale-while-revalidateSuborigin
: use root CID in base32 and literal prefix to conformto the current suborigin spec (Suborigins #66)
Last-Modified
topic/CORS
in general: https://github.com/ipfs/go-ipfs/labels/topic%2FCORSX-Content-Type-Options: nosniff
which causes CSS files to be returned astext/plain
(relative links in files not added ipfs-shipyard/ipfs-deploy#86 (comment))API
Etag
&Cache-Control
: without this, all content addressed "gets" skip browser cache which results in degraded performance and wasted bandwidth (details: Add etag and other caching headers to all content addressed gets in api kubo#3543)X-Chunked-Output
: various API endpoints break without it (eg. Unexpected X-Chunked-Output in /api/v0/version response kubo#5711)Access-Control-Expose-Header
: without this, JS is unable to seeX-Chunked-Output
in Chrome ([CORS] Old library makes exploitable CORS configuration (need to update dependency) kubo#5745)User-Agent
in default list ofAccess-Control-Allow-Headers
to follow whatwg/fetch spec (Adduser-agent
to default list ofAccess-Control-Allow-Headers
kubo#5138)Access-Control-Allow-Credentials
should be removed from docs as it is not used and may cause security issues in some setups.Related
403 - Forbidden
ipfs-shipyard/ipfs-share-files#17 (comment): Gateway requests responds with 403 - Forbidden-Allow-Headers
vs-Expose-Headers
The text was updated successfully, but these errors were encountered: