x/pkgsite: remove HTML replacements

[jba]

The pkg.go.dev frontend replaces placeholders in HTML in several circumstances:

• To insert latest-version information into cached pages, so that it is fresh.
• To display a redirect banner on the first page served after the redirect, and only that page. We don’t want to cache the banner.
• To display the highest tagged major version of a module, if it is not the current version.
• To display whether a module is deprecated or retracted (work in progress).

These replacements have three problems:

1. They are unsafe, since they perform blind string replacement on HTML without any checks or sanitization. All served HTML should be generated via the safehtml package.
2. The latest-version code performs extra database lookups on every request, duplicating work unnecessarily.
3. They obscure control flow, because the replacements happen in a middleware layer far from the page-generating code.

Suggested Fixes

For the redirect banner, we can just avoid caching it. To generalize, we can have our caching middleware respect the outgoing Cache-Control header. https://golang.org/cl/290889 is a proof of concept. We also have to avoid serving from the cache when the cookie is set.

To ensure that latest-version information is fresh, we can adjust the cache TTLs (the time that a page remains cached). Any non-zero TTL can produce a stale page, but perfection here is misleading. It already takes a few minutes from the time someone pushes a new latest version to the proxy, to the time that the frontend can display that version.

Frontend fetch speeds up the process, making a module available in under 30 seconds in most cases. But it is only triggered on a 404, which isn’t cached. So visiting the same URL that was just fetched should result in a fresh page. (Visiting the unversioned URL after fetching the versioned one would involve the cache, which isn't ideal. At present I have no good solution for that.)

Experiments show that about two-thirds of cache hits occur in the first five minutes, so changing the TTL to 5 minutes should not affect the cache hit ratio signicantly.

[gopherbot]

Change https://golang.org/cl/290969 mentions this issue: internal/frontend: reduce cache TTLs to 10 minutes

[jba]

We should also explore doing cache invalidation from the worker.

[gopherbot]

Change https://golang.org/cl/292070 mentions this issue: internal/frontend: separate 404 redirect tests

[gopherbot]

Change https://golang.org/cl/292429 mentions this issue: internal/cookie: fix error return bug

[gopherbot]

Change https://golang.org/cl/292449 mentions this issue: internal/frontend: test redirect banner

[gopherbot]

Change https://golang.org/cl/292489 mentions this issue: internal/frontend: handle redirect in main serving path

[gopherbot]

Change https://golang.org/cl/292492 mentions this issue: internal/middleware: remove latest-minor-class substitution

[gopherbot]

Change https://golang.org/cl/292491 mentions this issue: internal/middleware: remove latest-minor-version substitution

[gopherbot]

Change https://golang.org/cl/293009 mentions this issue: internal/frontend: do latest-major-version logic in main serving path