Add Vary headers in responses

[kotx]

This prevents caching servers like Cloudflare from caching responses when Accept or X-Decrypt-Password request headers vary. Before this, servers like Cloudflare would cache the html preview page regardless of Accept header (meaning curls and non-browser requests would also return a cached preview page). Adding a Vary header should prevent that.

More info here: https://blog.cloudflare.com/vary-for-images-serve-the-correct-images-to-the-correct-browsers/

[aspacca]

@kotx thank you very much for the contribution

please, see my comments

[aspacca]

previewHandler should not be sensible to X-Decrypt-Password

[aspacca]

indeed not event to Accept, or do I miss anything?

[kotx]

I think the Vary header should always be the same for the same URL.

[aspacca]

I think the Vary header should always be the same for the same URL.

I had this doubt just after leaving the comment

the for previewHandler, getHandler and headHandler we must set Range, X-Decrypt-Password
for viewHandler only Accept

[kotx]

viewHandler is only for /, yes? I don't know if it should vary based on X-Decrypt-Password, only for the file route.
Is that okay?

[kotx]

Should be fixed in the latest commit

[aspacca]

sorry, file route should have w.Header().Set("Vary", "Range, Referer, X-Decrypt-Password")

[kotx]

Sorry, I thought getHandler was the file route, do you mean zipHandler, tarHandler, tarGzHandler, etc should also have the vary header?

[aspacca]

these three ones:

https://github.com/dutchcoders/transfer.sh/pull/536/files#diff-961509ed3ff668f3172148150903514fb3394d6ff090d6db78d986875b13689fR246
https://github.com/dutchcoders/transfer.sh/pull/536/files#diff-961509ed3ff668f3172148150903514fb3394d6ff090d6db78d986875b13689fR1161
https://github.com/dutchcoders/transfer.sh/pull/536/files#diff-961509ed3ff668f3172148150903514fb3394d6ff090d6db78d986875b13689fR1255

currently they have w.Header().Set("Vary", "Accept, Referer, X-Decrypt-Password")
it should be w.Header().Set("Vary", "Range, Referer, X-Decrypt-Password")

response changes based on Accept only for / (viewHandler)
reponse for /{token}/{filename} changes Range, Referer, X-Decrypt-Password

Range and X-Decrypt-Password are used on getHandler
according to the Referer value we route to previewHandler or getHandler

finally headHandler should have the same Vary value since this should be the same based on URL and not URL+HTTP Method

[kotx]

Got it, so sorry for the confusion!
Made the changes you requested

[aspacca]

More info here: https://blog.cloudflare.com/vary-for-images-serve-the-correct-images-to-the-correct-browsers/

I'm not 100% sure about the cloudflare behaviour on the Vary header: the article mentions only Accept, is just for the sake of the example?

If not, and they only "react" to Accept it seems to me that they are forcing the upstream service behind their cache to send a value that does not respect the real ones that should be set: in this case I would set the proper ones, and if it still does not work with cloudflare cache please ask them to fix ;)

[kotx]

More info here: https://blog.cloudflare.com/vary-for-images-serve-the-correct-images-to-the-correct-browsers/

I'm not 100% sure about the cloudflare behaviour on the Vary header: the article mentions only Accept, is just for the sake of the example?

I've only just discovered this, but apparently Cloudflare only allows Vary for images on the non-free plans? :(

But normally, Cloudflare and any server should not cache if the headers in Vary are different.

[aspacca]

But normally, Cloudflare and any server should not cache if the headers in Vary are different.

yes, I'm fine adding the Vary header, just I won't implement it to make cloudflare happy, but according to the rfc :)

[aspacca]

@kotx could you please merge the main branch on yours?
thanks

[kotx]

could you please merge the main branch on yours? thanks

Done, hope this works