Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't use version for cache control #233

Merged
merged 2 commits into from Apr 2, 2019

Conversation

Projects
None yet
1 participant
@alexAubin
Copy link
Member

commented Mar 22, 2019

Problem

Soooo Goffanon spotted this issue in that we still leak the version number in the <head> of the webadmin ... this is in fact used to automatically invalidate the cache so we can't simply remove it ...

Solution

A trick I found (though not really tested yet) is instead to generate on each local machine a random hash an replace it at install time ...

However, as said on the chat, I am not sure how all of this attempt to leak the version number is worth it ... In practice, since all yunohost admin assets (js, css, ms, ...) are accessible publicly, an attacker could look at the history of changes on those assets to create a script that would do a bunch of request and infer the version number from the hash of the assets ...

Status

Not really tested, to be discussed

@alexAubin

This comment has been minimized.

Copy link
Member Author

commented Mar 29, 2019

Bump in case people have some opinion about this

@alexAubin alexAubin added this to the 3.5.x milestone Apr 1, 2019

@alexAubin

This comment has been minimized.

Copy link
Member Author

commented Apr 2, 2019

Tested / fixed and working ... yolomergin' for 3.5 release :s

@alexAubin alexAubin merged commit a5e4b8d into stretch-unstable Apr 2, 2019

@alexAubin alexAubin deleted the dont_use_version_for_cache_control branch Apr 2, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.