relative URLs in cachified CSS files #37

pirxpilot opened this Issue Sep 14, 2013 · 2 comments


None yet
2 participants

I have several resources (images) referenced from CSS file that is cachified - which means that they get 'cachify' treatment by the virtue of their URLs having the same prefix as the CSS file that is referencing them. It worked OK until #32 was merged - I know that images do not change whenever CSS changes (or vice versa) but it was a good enough solution.

Of course it does not work in 0.0.14 or later since we are now making sure that file we are returning has the same hash that is referenced by the URL.

If that really is a desired behavior, that's fine. If not I have couple of ideas I would gladly implement if there is any interest:

  1. we could make 'strict checking' optional, or
  2. we could make 'strict checking' smarter - for example by only allowing only a set of prefixes that we previously generated (which incidentally should be much faster than recalculating the hash on each request and still provide decent security)

If something like that seems remotely merge-able I'll try to prepare a PR. If I am missing the point here or misusing the module I'll close the issue to take my worries to a private fork.
Thanks for the great module.

@pirxpilot pirxpilot added a commit to pirxpilot/connect-cachify that referenced this issue Sep 15, 2013

@pirxpilot pirxpilot Simplify 'invalid cashes' verification
Instead of checking cachify prefix against the md5 hash of the file
content we just check if the said prefix is among the ones that we
previously generated.

It provides a safeguard against someone maliciously attempting to clog
the downstream cache by sending us a great number of invalid URLs and
has an added benefit of beeing much simpler than 'recalculate the hash'

Fixes #37

I am seeing the same issue with relative fonts in the CSS file. Any progress on this?

Yup: it's still an issue and it affects all relative URL regardless of the resource type.
See comments on my PR #38
I since decided to write connect-cachify-static that is limited to static resources but does not have this particular problem. Maybe you can use it instead.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment